Re: Rules utilisation

On Thu, 2004-10-21 at 02:38, Matt Jonkman wrote:
> You're very right. That's a definite need, and something we're working 
> toward at bleeding snort.
> 
> What we hope to have is a form of voting system, or a confidence level. 
> The success of that kind of thing very much depends on participation.
> 
> We're just about done with a web based rule manager and database. Once 
> that's out and functional we'll start looking at the mechanism of 
> getting a confidence level of these. Ideas on how to do so are 
> definitely welcome.
> 
> I've been mulling the idea of some form of script mechanisms to automate 
> some anonymous reporting similar to dshield, but that wouldn't give us a 
> differentiation for a false positive or true positive hit. That would 
> require human interpretation.
> 
> Relying on voluntry voting likely wouldn't be that reliable. THe trend 
> would be to only vote on rules that caused problems thus only showing us 
> a negative confidence. The process of manually voting would be rather 
> tedious as well.
> 
> Other ideas anyone?
> 

Everyone fly to Florida and vote on this issue?  Oh wait, the rule is no
rules there.  Hmmm, Gotta come up with another plan.

> Matt
> 
> Chich Thierry wrote:
> > Hello,
> > 
> > There is something that I don't understand. I was believing that
> > the bleeding-edge rules was done in order to test the validity
> > of the rules.
> > 
> > However, I never see that there is a mecanism that allow to collect
> > experiences with bleeding-edge rules.
> > 
> > I give an example: Monday, a infected computer has been plugged
> > on the internal network I am managing. This computer has initiating
> > an IRC connection and receive instructions. A dozen computers are
> > then infected with an unknow virus exploiting the Lsa  vulnerability.
> > Some rules have been usefull in such circonstances :
> > the rules on LSA,  the rules on IRC  communication on  non standard port,
> > and  RXBOT rules.
> > 
> > In my opinion, these kind of rules, that have proved to be usefull should
> > be distinguished. I don't know exactly how it is possible to do such a 
> > thing.
> > Perhaps a vote, or something that can summarize the worth of the rules
> > on at least 3 criterions:
> > criticality
> > number of positives
> > number of false positives
> > 
> > 
> > Thierry
> > 
> > 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- 

-- Unix is sexy. "find", "talk", "unzip", "strip", "touch", "finger", 
"mount", "split", "unmount", "sleep".



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl