Re: Reliability of signatures

["Fraser, Hugh" <hugh.fraser () arcelormittal com>]

I like the idea of incorporating it into something the tools like
oinkmaster can pull down. I'm trying to make due with a small security
staff, and anything I can do that gets me closer to a hands-off
exception reporting system is a good thing. So if a reliability value is
available that I can incorporate into a risk calculation, that will
allow me to make better judgements about how to react.
 
So what needs to be done to make this happen?
 
________________________________

From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Friday, February 04, 2011 10:33 AM
To: Martin Roesch
Cc: Jim Hranicky; snort-users () lists sourceforge net; Fraser, Hugh
Subject: Re: [Snort-users] Reliability of signatures


On Fri, Feb 4, 2011 at 10:23 AM, Martin Roesch <roesch () sourcefire com>
wrote:


        On Fri, Feb 4, 2011 at 10:16 AM, Jim Hranicky <jfh () ufl edu>
wrote:
        > On Fri, 4 Feb 2011 09:13:12 -0600
        > Martin Holste <mcholste () gmail com> wrote:
        >
        >> > Seems like there'd almost need to be a central place that
various
        >> > entities could report their findings. I know we've got
rules that we
        >> > rely on heavily and work very well for us, but other than
mailing lists
        >> > there's no place to report our findings.
        >> >
        >>
        >> Hm, you mean like a vote up/down system like
StackOverflow.com?  That
        >> could be really interesting.  It would be very valuable to
see what
        >> others are finding to be helpful.
        >
        > Sure, something like that - that would actually be very cool.
        
        
        I like that idea too.  It'd make a lot of sense to integrate it
into
        snort.org - in fact there's probably a lot of data about Snort
        detection performance, config options and rule quality we could
put up
        there.  Communication favors the defender...
        
        


I would think it would need to have some kind of automatic reporting
method, perhaps with manual commenting?

J 
-- 
Joel Esler | 706-231-1451 | http://blog.snort.org |
http://blog.clamav.net


------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users