From Makers Local 256
Revision as of 20:32, 15 February 2008 by Strages (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

(Signatures Observed Working)


A simple voting system integrated into Snort signature test environment. Designed to prevent the rollout of bad signatures into a production environment. Easiest method to determine the validity of signatures with minimal impact on testers.



What you'll need

  • Snort running on your choice of OS(preferably Linux, *BSD, or Solaris)
  • Web front-end for evaluating Snort signature trips.
    • Take your pick as to which one you want to use and mod it, or make your own.


  • For each signature that trips on the test system the user is presented with a voting system similar to a simple poll in a blog.
    • User has three options when evaluating a signature trip:
      • Good: The signature tripped on what it was designed to and the traffic is hostile in nature.
        • Good signatures are rolled out into production at regular intervals.
      • Needs work: Either the signature tripped on what it was supposed to but the traffic isn't necessarily hostile, or the traffic is hostile but the signature could use some tightening.
        • A brief note will need to be provided with reasoning and/or suggestions.
        • Signatures that need work are changed and put back in for more testing until they're Good.
      • Bad: The signature trips on normal/non-hostile traffic(false positives).
        • A brief note will need to be provided with reasoning.
        • Bad signatures are dropped permanently.
  • Will support multiple users.
    • Simple metrics will be kept on user interaction with the system.
      • Shows how often certain users participate in the signature testing.
      • Shows general differences in user analysis of similar signature trips.
        • Could reveal problems with how employees are working and how to fix them.
  • Reports can be generated at any point to determine the performance of any individual signature or as a whole.
    • or any individual user or as a whole for that matter.
    • Certain reports might need to be generated on a realtime basis to give a better overview of what's going on.


  • Read only access to a database containing snort trips would be needed.
    • Actual voting data can be stored in a different place.


  • 08/22/2007: Presented the idea to my boss at work, who liked the idea and asked that I present it to the guys handling snort signatures. I presented it to them and they seemed to like the idea as well. I'm currently working with them on trying to recycle some code from an exisiting similar system that they already developed for another purpose.