Re: Reliability of signatures

["Fraser, Hugh" <hugh.fraser () arcelormittal com>]

I understand that the priority and classification alone aren't enough to
make a decision, but I use OSSIM as the decision making tool and
incorporate a lot of other sources of information (including a
commercial IDS/IPS) along with associated correlation rules to try to
make an intelligent decision about what's happening. What I'm looking
for is less the characterization, but more the "how sure are we this is
really what we think it is" to help with the calculation of risk. 

-----Original Message-----
From: Martin Holste [mailto:mcholste () gmail com] 
Sent: Friday, February 04, 2011 9:51 AM
To: Fraser, Hugh
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Reliability of signatures

> The snort signatures have a priority associated with them, either in 
> the rule itself, or in the classification. Is there anywhere that the 
> reliability (ie. the chance of it not reporting a false positive) of 
> the signature is recorded?

No.  There has been a lot of discussion regarding whether or not
something like that would be helpful.  I think the short answer is that
environments and preferences vary too widely to be able to effectively
communicate a signature's fidelity.  I would also argue for those same
reasons priority should not be suggested either and it should be
deprecated.

I ignore both priority and classification for signatures as they are
terribly broken right now.  For instance, the signature "CHAT MSN
messenger http link transmission attempt" is classified as Trojan
activity.  Sure, links in an MSN message can point to malware, but I
hardly think that every MSN message with a link in it should be
classified as "Trojan activity."  This is not good intel.

An effort is underway to redo the classification system, which is very
welcome.  However, I believe the new classification system will be
almost as unhelpful because though more specific, it only allows for a
signature to be placed in one category.  I favor a tagging system in
which a signature can have many tags applied to it for a comprehensive
representation of the signature author's intent.



------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users