Snort mailing list archives

Re: Reliability of signatures

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 04 Feb 2011 19:50:49 -0500

On 2/4/2011 13:45, Martin Holste wrote:

Personally, I'd like to know what
the most important (as measured, perhaps, as the most hits)


Ok, hang on--I'd actually say that you can get a pretty good idea of
the most important signatures by sorting them in ascending order by
hits.  The higher the number of hits, the greater probability that
each hit is an FP and the signature isn't helpful.


on the surface, i can't agree with this... in my environment, which has been 
carefully tuned for my network(s), i see almost no false positives... almost 
every rule alerted on is properly alerted on the contents of the network 
packet(s) analyzed... the problem that i've found is that while a packet might 
match the rule, the rule MSG is on the "scare" side of the fence such that all 
traffic that matches the rule is classified incorrectly... while some traffic 
might be classified correctly, the "FP" traffic is not even though it /does/ 
match the rule in question...

Important caveats
would be for the sigs that aren't alerting on "bad" traffic, but
traffic that is usually good unless it's from a certain IP address
(JAR files, exe files, etc.) or SCAN signatures.  That nuance actually
makes this kind of hard to do in a helpful way.


i think i see what you are saying and that i can agree with it ;)

It's for this reason that I want the manual submissions, not based on logs.


+1.5 with a caveat that this means more manual labor for those who are already 
stuffed to the gills if they want to contribute... i'm not sure, off the top of 
my head, how this might be handled... especially in an environment where there 
is no reporting participation capabilities in place :?

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Emerging-Sigs] Reliability of signatures, (continued)
- - - Re: [Emerging-Sigs] Reliability of signatures Matthew Jonkman (Feb 10)
    - Re: [Emerging-Sigs] Reliability of signatures List Subscriptions (Feb 10)
    - Re: Reliability of signatures Jason Wallace (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Michael Scheidell (Feb 04)
    - Re: Reliability of signatures Fraser, Hugh (Feb 07)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Jason Wallace (Feb 04)
    - Re: Reliability of signatures beenph (Feb 04)
    - Re: Reliability of signatures waldo kitty (Feb 04)
    - Re: Reliability of signatures waldo kitty (Feb 04)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Matthew Jonkman (Feb 04)
    - Re: Reliability of signatures Crusty Saint (Feb 04)
    - Re: Reliability of signatures Matthew Jonkman (Feb 04)
    - Re: Reliability of signatures Fraser, Hugh (Feb 07)
    - Re: Reliability of signatures Martin Holste (Feb 04)
    - Re: Reliability of signatures Fraser, Hugh (Feb 07)
    - Re: Reliability of signatures Michael Scheidell (Feb 04)
    - Re: Reliability of signatures Crusty Saint (Feb 04)
    - Re: Reliability of signatures Michael Scheidell (Feb 04)

(Thread continues...)