[sanesecurity] Re: Long DB refresh times
- From: Emanuele Balla <clam@xxxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Thu, 26 Apr 2012 17:01:23 +0200
On 4/26/12 4:03 PM, Grayhat wrote:
>
>>> Again... I think this is something worth a couple more opinions
>
>> Sorry for being brief...I've just emailed Emanuele with an idea..
>> which hopefully may reduce the bofhland db sizes from 29,292 sigs to
>> about 5,281 sigs... if it can be implemented.
>
> Don't worry Steve :) and... well, if the DB may be reduced so much w/o
> loosing in efficience then... go for it :D !
As I told Steve, it's a matter of FPs and amount of work: the whole
point is that for a single domain/hostname there may be several
different malware URLs that all match the same regexp. Steve's proposal
is then to use a single rule matching the regexp instead of the several
rules matching the URL one by one.
The FP issue is that the regexp can easily match valid URLs on the same
domain too, and the very reason why I've being building these DBs is to
block this stuff with no FP at all..
The "amount of work" issue would require the description of the system
that is running behind the scenes generating those DBs; the short
version is: that system works on single URLs, and aggregating what it
produces the way Steve suggests will require manual intervention: while
some of these can be aggregated with specific regexps that are valid
though several different domains, they change over time, and managing
the regexp generation can turn out to be quite complicated to automate...
Other related posts:
