[Oisf-users] Options for rule set sources

Cooper F. Nelson cnelson at ucsd.edu
Tue Feb 20 13:50:21 UTC 2018

That's the real question, of which there can be no true answer (known

I did some metrics last year for our network, which is one of the
largest in the country in terms of attack surface.  Of ~38k active
signatures, we've observed ~10k unique signatures by SID observed over a
30-day window.  Unique signatures per day are around 1,500. 

The takeaway here is that even for big, messy networks we are
automatically looking for more threats via the ETPRO feed than we are
actually observing by a fairly wide margin. 

The reality is that the threats you are going to be missing will mostly
fall within the scope of insider threats and targeted attacks; neither
of which can be detected entirely via third-party threat intel.  That's
where threat hunting comes into play, which is another topic entirely.


On 2/20/2018 3:45 AM, Sascha Steinbiss wrote:
> I am wondering what else is out there that we are probably missing out
> on.

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180220/6e85dcda/attachment-0002.sig>

More information about the Oisf-users mailing list