Re: false positives Mit lincoln laboratory and snort signatures

["Joel Esler" <jesler () sourcefire com>]

On 9 Aug 2012, at 6:43, Negin Nickparsa wrote:

> hello Dear Snort users
>
> I tested the darpa dataset 1999 with snort,I wrote an algorithm to 
> cluster
> alarms and now I need to know which of the alarms are false positives
> so as to update the snort rules manually.this is just my thesis and I 
> know
> the snort usually has exact rules.
> I want to look at the attacks of darpa and if snort Identifies an 
> attack
> which darpa didn't have it assume the alarm as false positive.
> I couldn't match the signatures of snort with attacks of darpa dataset
>
> would you please tell me how to map the signatures to attacks?
> I mean is there any file in snort which I can find the descriptions?

Do you feel that any of these are false positives?  Doesn't look like it 
to me.

Each rule has documentation associated with it, either on Snort.org, or 
in the rules themselves (look for "reference".)

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!