Snort mailing list archives
RE: False alerts
From: Steve Hutchins <Steve.Hutchins () optimation co nz>
Date: Thu, 20 Dec 2001 09:51:04 +1300
You missed the point! The article's main point (regardless of which IDS) was that until the problem of false alerts is addressed, adoption by less technically skilled people will be slow. This is not new news! I'm not sure what Marty's goals were when he started development of snort, but I guess being the best IDS and most usable might have been on his list. Although I think that snort is the best IDS, the biggest problem I have to deal with when installing it for customers, is the reduction of noise from false alerts. They are not usually capable or willing to handle this themselves. But the more user friendly it becomes, they might change their mind. With the ridiculous cost of other IDS products, there is a definite trend (from where I am) of people wanting an alternative lower cost solution, such as snort. If snort is to stand out from the other products in the usability and manageability factors, then this false alert problem is a prime area to be addressed. I'm sure that the other IDS vendors are actively looking to solve this issue. I just proposed an idea. It may suck for some people, but at least it was an idea. I didn't see anything in your response that adds any value to the subject! In fact, all I saw in your response was an attempt to justify why snort should remain too technical for the masses. Maybe this is an insecurity you have for your job, I don't know. Your type of response does more damage than good. Other people on the list see this type of flame, and are put off sending in their own questions and ideas in the event of someone like yourself putting them down. What's more, by the time all the mud flinging has taken place, the original concept or question is usually forgotten because people are already sick of the subject. When I said "Yep, knew I shouldn't have bothered!" I was anticipating the usual non-helpful responses that people like yourself send, which I have to waste my time in responding to. You might have noticed that at the bottom of my post, I said "Anyone done something along this line?" I said that for a reason, responses like "go for it" are all fine, except they don't tell me if someone else is already doing it! -----Original Message----- From: John Sage [mailto:jsage () finchhaven com] Sent: Wednesday, 19 December 2001 2:07 p.m. To: snort-users () lists sourceforge net Subject: Re: [Snort-users] False alerts umm..
Yep, knew I shouldn't have bothered!
As to whether "you should have bothered", perhaps you might more reasonably have anticipated the responses you received. First, aside from the fact that the article at the Reg never mentions snort by name, the tone of the article suggests that the actual topic is canned, big vendor, proprietary solutions that are installed when: "...business managers buy IDS systems (often on the advice of auditors or consultants) without committing to the people and resources needed to make the technology work, or having a managed services firm maintain an installation." I would be willing to bet that this is hardly *ever* the context under which snort is installed and used. Second, when you say: "...a configuration wizard that presents a list of O/S and apps..." the term "wizard" alone conjures up a Window$-style approach that many are trying to get/stay away from: the blind use of wizards and other front ends with checkboxes and radio buttons that do something to some configuration file somewhere, all the while the user remaining blissfully unaware of what is *actually* happening, and why. Third, the very nature of snort is such that, as with most open source software, when a major new direction is proposed (and particularily when it's proposed with a "...*you* could..." directive) a common response will likely be: "Yeah? Cool.. do it!" which in fact someone almost literally said. So IMO it's not that you shouldn't have bothered, it's just that you shouldn't be quite so surprised. (Which, considering the phrasing of your response, I don't *really* think you were...) - John -- Computers: they're really just nothing but l's and O's Steve Hutchins wrote:
Yep, knew I shouldn't have bothered! -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Wednesday, 19 December 2001 11:11 a.m. To: Steve Hutchins Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] False alerts And while your at it, have snort nmap -O all the systems on $HOME_NET and with the abundant info returned, answer the questions itself, and go on its merry way, leaving the satisfied customer oblivous. On Wed, Dec 19, 2001 at 10:18:27AM +1300, Steve Hutchins wrote:Reading article: http://www.theregister.co.uk/content/55/23420.html I wondered why snort couldn't come with the ability or tool that asks which categories of systems are in use on the network to be monitored. So for example, you could spark up a configuration wizard that presents a list of O/S and apps, then removes the rules that don't apply to that environment. Obviously, this would mean specific tagging of rules. Anyone done something along this line? Obviously us 'techies' wouldn't use such a tool :O) Steve _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False alerts Steve Hutchins (Dec 18)
- Re: False alerts Jim Forster (Dec 18)
- Re: False alerts Phil Wood (Dec 18)
- Re: False alerts Phil Wood (Dec 18)
- <Possible follow-ups>
- RE: False alerts Steve Hutchins (Dec 18)
- Re: False alerts John Sage (Dec 18)
- RE: False alerts Steve Hutchins (Dec 19)