Snort mailing list archives
Fwd: Tuning snort for false positives.
From: fatema bannatwala via Snort-users <snort-users () lists snort org>
Date: Wed, 3 Jan 2018 14:23:51 -0500
sent it to snort-users () lists sourceforge net before, looks like this is the right one to forward to. Hi, I have been struggling for past couple of months in tuning our snort deployment to produce some valuable alerts that we can take action on. Most of the time almost 90% of the alerts result in false positive, and is kind of time consuming investigating each and every alert without knowing if it's legit or not. Hence, finally thought to ask snort community here, so that we can get most value out of our snort deployment, and if people can share their recipes to tune down snort , then that would be great help. We have two snort sensors deployed in the production capturing all the network traffic ~10gbps link, sitting OUTSIDE our network firewall (i.e. traffic hits the sensors first before hitting the firewalls). And it generates tens of thousands of alerts every day, making it almost a full-time job to just go through the alerts to find a needle in the hay stack. We are using ET and VRT rule sets with almost ~25K rules enabled. I also have followed couple of online guides to tune the snort config by setting HOME_VAR and other configurable IP address range (like for DNS servers, http servers etc), but it didn't help much and still getting lots of alerts. Anything that could be done for tuning down the snorts more, so that we can get some real actionable items? P.S we are using snort 2.9.9.0, if that matters. Thanks, Fatema.
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Fwd: Tuning snort for false positives. fatema bannatwala via Snort-users (Jan 03)
- Re: Tuning snort for false positives. Joel Esler (jesler) via Snort-users (Jan 03)
- Re: Tuning snort for false positives. fatema bannatwala via Snort-users (Jan 03)
- Re: Tuning snort for false positives. Joel Esler (jesler) via Snort-users (Jan 03)
- Re: Tuning snort for false positives. fatema bannatwala via Snort-users (Jan 03)
- Re: Tuning snort for false positives. Joel Esler (jesler) via Snort-users (Jan 03)
- Re: Tuning snort for false positives. fatema bannatwala via Snort-users (Jan 03)
- Re: Tuning snort for false positives. fatema bannatwala via Snort-users (Jan 03)
- Re: Tuning snort for false positives. Joel Esler (jesler) via Snort-users (Jan 03)