Snort mailing list archives
"False postive" database idea
From: Anton Chuvakin <anton () chuvakin org>
Date: Tue, 23 Sep 2003 12:34:30 -0400 (EDT)
Brian and all, I suspect people monitoring lots of NIDS sensors start to have their own favorite "false positives". After I upped the number of snort sensors I run I started seeing lots of nice ones :-) And that made me think of a following idea: Why can't we create a public database of "false positive" so that snort users everywhere can submit theirs and make life simple for everybody running snort? For example, submission may take the form of 'Application X during auth phase always triggers snort alarm Y' or 'I keep seeing in my environment; here is the packet dump, here is the snort alert X which gets triggered' I suspect implementing such an idea will optimize the snort rule development by a large margin. Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "False postive" database idea Anton Chuvakin (Sep 23)
- Re: "False postive" database idea Brian (Sep 23)