IDS mailing list archives
Re: Snort with an expert system
From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Sat, 18 Apr 2009 11:07:39 -0400
False positives will vary from network to network. You can alter the rules to eliminate false positives you run into. I wouldn't use the spyware rules unless you want Snort telling you everyone has Earthlink toolbar installed when they check their Earthlink ISP webmail. On Sat, Apr 4, 2009 at 8:22 AM, Timmmy <bluesinblood () gmail com> wrote:
Hi everybody I'm coupling an IDS with an expert system. I want to prove that this could decrease the number of false positives. I chose Snort as an IDS. Because of the huge number of signatures, I just want (for now) to take a little set of signatures and design the expert system rules according to theses signatures to work like an administrator would do (analyse logs, monitor the alerts, know if it's a false positive or not, make decision). So, what is in your opinion the right set of signatures to take (for example, the signatures that generate a lot of false positives) ? Thx! -- View this message in context: http://www.nabble.com/Snort-with-an-expert-system-tp22881974p22881974.html Sent from the IDS (Intrusion Detection System) mailing list archive at Nabble.com.
Current thread:
- Snort with an expert system Timmmy (Apr 07)
- Re: Snort with an expert system Stephen Mullins (Apr 20)
- Re: Snort with an expert system Martin Roesch (Apr 20)
- Re: Snort with an expert system Stephen Mullins (Apr 20)