Re: [Emerging-Sigs] Reliability of signatures

[Michael Stone <mstone+snort () mathom us>]

On Fri, Feb 04, 2011 at 02:01:05PM -0500, Matthew Jonkman wrote:
> I agree on the difference between just logging hits and having true FP and TP ratings. But even a false positive can 
> be different on the same packet in different organizations. Many folks mark a hit a false positive because it's just 
> not of interest, vs nt hitting on what it's supposed to be looking for.

Well, even that distincion isn't so clear. Does "what it's supposed to 
be looking for" mean "the string the signature was written against" or 
"the malware the signature was written against"? 

Mike Stone

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users