Forum Discussion
mister_paul_717
Nimbostratus
Nimbostratusmanaging signatures
Hey everyone,
I'm trying to find a way to manage our signatures better, because the way I'm currently trying to do it seems wrong.
Background: We currently have 2 signature sets we use...
mister_paul_717Nimbostratus
NimbostratusIndeed, I have noticed exactly that.
The big problem I face is that, of the 1400+ signatures in our two signature sets (one is predefined, the other is based on a filter), there are a handful that trigger false positives on nearly every request on our site. So, I clearly need to disable them. But, because they are in our signature set, they keep generating entries in our logs, and showing up in the learning results (while we're still learning things). With millions of requests a day, that is a lot of chaffe hiding the wheat. So - I need to take them out of the signature set. So I'm now venturing into custom signature sets - which means maintenance.
I'm really hoping there are others out there have similar experiences and can share how you are handling it.
In the meantime, yesterday I used a client side proxy to create a log of the full response information as I clicked through the 73 pages of signatures, then wrote a perl script to parse that log into a tab-delimited file that shows the following for each signature:
ID, NAME, ENABLED, STAGING, LEARN, ALARM, BLOCK, PARAM_OVERRIDE, APPLIES_TO, ATTACK_TYPE, RISK, ACCURACY, SETS, USER_DEFINED, LAST_UPDATED
Now at least I have a file of the signatures and their states that I can sort and filter in Excel...
