IDS mailing list archives
General ruleset tweaking and testing resources
From: Darren Spruell <darren_spruell () sento com>
Date: Tue, 22 Jun 2004 16:54:07 -0600
We're rolling out a new IDS implementation. Undoubtably there are going to be far too many alerts to deal with initially, but we want to put a lot of focus on reducing false positives and tweaking our sensors for accuracy.
Our current IDS implementation is prelude-ids, which uses a lot of Snort rules and other types as well.
Are there general best practices for ruleset optimization? And can someone suggest good strategies for tweaking Snort and/or Prelude rules to minimize false positives?
TIA -- DS --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- General ruleset tweaking and testing resources Darren Spruell (Jun 23)