Snort mailing list archives
Re: Common false positives
From: Bennett Todd <bet () rahul net>
Date: Tue, 25 Feb 2003 12:03:17 -0500
2003-02-25T11:10:28 John Cherbini:
I was simply wondering if those of you with more experience with snort could share some of the rules that are generally found to be false positives.
This depends wildly on local details; depending on whether your environment makes it feasable for you to really meaningfully populate HOME_NET, EXTERNAL_NET, *_SERVERS, *_PORTS; depending on whether the traffic patterns your snort is exposed to trigger lots of false-positives from portscan2, etc. Another factor is the location of your sensor. Snorts listening _inside_ firewalls tend to have few "real" incidents, and most of their output is false positives; this can make them easier to tune. Snorts placed outside firewalls, showing all traffic arriving at the doorstep from the wide-open internet, are often very very noisy, with all the knob-twisters and failed attack attempts showing up. But are these "false positives"? Many would say no. Furthermore, some sigs winge about routing network yammering that reflects the existence of running Windows systems; not everyone agrees that such devices constitute attacks:-). Some snort sensor placement intrinsically prevents the sensor from seeing such traffic; other placements don't. A simple alert summarizing script (I append a throwaway I wrote once for this) can be helpful in deciding what to hammer at first. -Bennett #!/usr/bin/perl -w use strict; use IO::File; my $sid = IO::File->new("</etc/snort/sid-msg.map") || die; my %sid; while (defined($_ = $sid->getline)) { next unless /^\d+\s*\|\|/; chomp; my ($sid, $msg, @refs) = split /\s*\|\|\s*/, $_; $_ = "$msg"; $_ .= " [@refs]" if @refs; $sid{$sid} = $_; } my %alerts; while (<>) { next unless /^\S+\s+\[\*\*\] \[1:(\d+)/; $alerts{$1}++; } for (sort { $a <=> $b } keys %alerts) { printf "%5d %5d %s\n", $_, $alerts{$_}, $sid{$_}; }
Attachment:
_bin
Description:
Current thread:
- Common false positives John Cherbini (Feb 25)
- Re: Common false positives Matt Kettler (Feb 25)
- Re: Common false positives Bennett Todd (Feb 25)
- <Possible follow-ups>
- RE: Common false positives Schmehl, Paul L (Feb 25)