Snort mailing list archives
RE: false positives in snort IDs
From: "Ophir Rachman" <ophir () securimine com>
Date: Mon, 3 Jan 2005 10:10:20 -0800
Hi, The problem of false positives is inherent in security products and is not specific to Snort. In Snort it is a little emphasized since unlike commercial products, the rules writers are not terrified with customers complaining about false positives and therefore they simply write rules for whatever is interesting. Commercial products extra careful bout that and consequently do not get all the interesting information. We in Securimine believe this problem will not go away and there is a need to develop automatic tools that will overcome this problem. More than that, we do not believe the solution is in the detection layer, but inn the data analysis layer. Our company was founded to solve this problem and today we are distributing a freeware software SFS (Securimine for Snort) that uses baseline monitoring combined with data mining algorithms to help the Snort users focus on the real issues and not on time consuming normal data that triggers alerts. More information can be found in www.securimine.com. Regards, The Securimine team. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bob Konigsberg Sent: Monday, January 03, 2005 8:05 AM To: 'Juan B'; snort-users () lists sourceforge net Subject: RE: [Snort-users] false positives in snort IDs I guess the first question I'd ask is: How much time have you already put into identifying and classifying the false positives? Simple example: If you're getting warnings about Apache and/or Microsoft web servers, and you don't have any (meaning that all the servers in question belong to someone else), then you should comment out the rulesets relating to those functions. A goodly part of this process is educating yourself and other staff about what IS and what IS NOT normal and safe for your particular network. Once you know which is which, then you can tune the rules accordingly. Bob -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Juan B Sent: Monday, January 03, 2005 3:58 AM To: snort-users () lists sourceforge net Subject: [Snort-users] palse positives in snort IDs Hi, I am wondering about the false positives issue in Snort. I want to ask all of you If some of you reached a point in your snort istallation, a point in configuration that you dont recieve false positives at all? I mean that each alert that you reicve is something intersting that you must know about? I am really considaring trying another product beacuse of a heavy false positive problem in Snort (Although im aware that all the products have the same problem),I am reciving a lot of false poositives and I need to put a lot of man power in this IDS, I think that Its not worth it. thanks !! __________________________________ Do you Yahoo!? All your favorites on one personal page Try My Yahoo! http://my.yahoo.com ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004 ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- palse positives in snort IDs Juan B (Jan 03)
- RE: false positives in snort IDs Bob Konigsberg (Jan 03)
- RE: false positives in snort IDs Ophir Rachman (Jan 03)
- RE: false positives in snort IDs Bob Konigsberg (Jan 03)