Snort mailing list archives
RE: Event-Correlation& avoiding false positives
From: <hugh_fraser () dofasco ca>
Date: Tue, 8 Jun 2004 10:32:39 -0400
I agree with the author of the perl script mentioned here, who said "I don't know about you, but when someone is shooting bullets at me, I would like to know they are shooting at me, even if they miss." With that in mind, I don't disable any alerts in snort based upon a profile of our infrastructure. All events seen are collected. I do, however, apply some statistics to the events as they happen to identify significant changes in behaviour. This allows me to flag changes in activity (whether it's an event or a source or destination address), and that change is often an indication of some kind of attack. Since I'm collecting everything I can collect, the forensic step in an investigation has all the information available, but I'm (ideally) notified only when there's something to look at. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Brian Sent: Monday, June 07, 2004 2:48 PM To: Eric Hines Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Event-Correlation& avoiding false positives On Mon, Jun 07, 2004 at 12:07:41PM -0500, Eric Hines wrote:
There are also commercial tools available that correlates Nessus vulnerability scanning with IDS events.
Yep. And there is a 40 line perl script. http://www.shmoo.com/~bmc/software/honeysuckle Brian ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Event-Correlation& avoiding false positives Maetzky, Steffen (Extern) (Jun 07)
- <Possible follow-ups>
- RE: Event-Correlation& avoiding false positives Kreimendahl, Chad J (Jun 07)
- RE: Event-Correlation& avoiding false positives Eric Hines (Jun 07)
- Re: Event-Correlation& avoiding false positives Brian (Jun 07)
- RE: Event-Correlation& avoiding false positives Eric Hines (Jun 07)
- RE: Event-Correlation& avoiding false positives hugh_fraser (Jun 08)
- Re: Event-Correlation& avoiding false positives DK (Jun 08)