Snort mailing list archives
Re: How can I recognize rules with high false positive rate?
From: sekure <sekure () gmail com>
Date: Thu, 17 Jun 2004 11:25:21 -0400
False positives/negatives are highly dependant on your individual network/rules/implementation. You have to run snort, continuously observing and tweaking the alerts and decide for yourself which ones are false positives and which ones are legitimate alerts. On Thu, 17 Jun 2004 19:42:07 +0430, Ali Zand <ali.zand () gmail com> wrote:
Hi. In my network low false possitive rate is very more important than low false negative rate. I need some way to classify Snort rules to "high false positive" and "low false positive" categories. Does Snort rules' "priority" and "classtype" indicate their false positive/negative rates? If yes, how? If no, how can I know their false positive rate? Thanks in advance. -- Ali Zand ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How can I recognize rules with high false positive rate? Ali Zand (Jun 17)
- Re: How can I recognize rules with high false positive rate? sekure (Jun 17)