logo       
<prev   next>

Re: Rules utilisation: msg#00162

security.ids.snort.sigs

Subject: Re: Rules utilisation

You're very right. That's a definite need, and something we're working toward at bleeding snort.

What we hope to have is a form of voting system, or a confidence level. The success of that kind of thing very much depends on participation.

We're just about done with a web based rule manager and database. Once that's out and functional we'll start looking at the mechanism of getting a confidence level of these. Ideas on how to do so are definitely welcome.

I've been mulling the idea of some form of script mechanisms to automate some anonymous reporting similar to dshield, but that wouldn't give us a differentiation for a false positive or true positive hit. That would require human interpretation.

Relying on voluntry voting likely wouldn't be that reliable. THe trend would be to only vote on rules that caused problems thus only showing us a negative confidence. The process of manually voting would be rather tedious as well.

Other ideas anyone?

Matt

Chich Thierry wrote:
Hello,

There is something that I don't understand. I was believing that
the bleeding-edge rules was done in order to test the validity
of the rules.

However, I never see that there is a mecanism that allow to collect
experiences with bleeding-edge rules.

I give an example: Monday, a infected computer has been plugged
on the internal network I am managing. This computer has initiating
an IRC connection and receive instructions. A dozen computers are
then infected with an unknow virus exploiting the Lsa vulnerability.
Some rules have been usefull in such circonstances :
the rules on LSA, the rules on IRC communication on non standard port,
and RXBOT rules.

In my opinion, these kind of rules, that have proved to be usefull should
be distinguished. I don't know exactly how it is possible to do such a thing.
Perhaps a vote, or something that can summarize the worth of the rules
on at least 3 criterions:
criticality
number of positives
number of false positives


Thierry




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: reporting false positives...: 00162, Matthew Watchinski
Next by Date:  Re: Rules utilisation: 00162, Byron Copeland
Previous by Thread:  Rules utilisationi: 00162, Chich Thierry
Next by Thread:  Re: Rules utilisation: 00162, Byron Copeland
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
News | FAQ | advertise