[Lognorm] Libnormalize issue

[Rainer Gerhards]

> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of James Lay
> Sent: Thursday, November 03, 2011 12:12 PM
> To: lognorm
> Subject: Re: [Lognorm] Libnormalize issue
> 
> 
> 
> On 11/3/11 4:42 AM, "Rainer Gerhards" <rgerhards at hq.adiscon.com> wrote:
> 
> >I have just uploaded an overview  paper that may help to provide
> >context for this discussion (though admittedly not touching it
> >precisely):
> >
> >http://www.gerhards.net/download/LogNormalizationV2.pdf
> >
> >HTH
> >Rainer
> 
> Wow...thanks Rainer, Champ and David...this is a LOT of great information
for
> me to use.  Again, I'm only using liblognorm as it relates to Sagan, so
I'll get
> with Champ and ask a few more questions about how Sagan and liblognorm
> relate.  As a final thought to think about..as it relates to false
positives and
> the like, whose job is it to verify....the app sending the data, or the
library
> parsing the data?  

Well, the problem is that a false positive is a false positive because the
library interpreted it in a way that is present inside the rule base, but not
in the way the user thought it would. As the thought-reader is still under
development [;-)], the lib has no way of knowing it did not meet user
expectations. 

However, we try to reduce the chance for false positives by using more
precise parsers before trying more generic parsers. At least that is the
plan. I am not sure right now if that is 100% implemented. That somewhat
mitigates the iptables-parser dilemma, but it still exists.

rainer

Food for thought.  I'll post some results in a different
> thread soon...already working with more types of data and rules...firewall
> rules come first, then others later :) Thanks again all.
> 
> James
> 
> 
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm