Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Rules utilisation

from [Chich Thierry] Network Security [Permanent Link]
Subject: [Snort-sigs] Rules utilisation
Date: Wed, 20 Oct 2004 11:14:16 +0200 
Hello,

There is something that I don't understand. I was believing that
the bleeding-edge rules was done in order to test the validity
of the rules.

However, I never see that there is a mecanism that allow to collect
experiences with bleeding-edge rules.

I give an example: Monday, a infected computer has been plugged
on the internal network I am managing. This computer has initiating
an IRC connection and receive instructions. A dozen computers are
then infected with an unknow virus exploiting the Lsa  vulnerability.
Some rules have been usefull in such circonstances :
the rules on LSA,  the rules on IRC  communication on  non standard port,
and  RXBOT rules.

In my opinion, these kind of rules, that have proved to be usefull should
be distinguished. I don't know exactly how it is possible to do such a thing.
Perhaps a vote, or something that can summarize the worth of the rules
on at least 3 criterions:
criticality
number of positives
number of false positives


Thierry



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] reporting false positives..., Matthew Watchinski
Next by Date:  Re: [Snort-sigs] Rules utilisation, Matt Jonkman
Previous by Thread:  [Snort-sigs] Broken thresholding in 2923.1 and 2924.1?, nnposter
Next by Thread:  Re: [Snort-sigs] Rules utilisation, Matt Jonkman
Indexes:  [Date] [Thread] [Top] [All Lists]