IDS mailing list archives

Re: Snort

From: Graeme Connell <gconnell () middlebury edu>
Date: Thu, 30 Sep 2004 13:04:24 -0400

Jeremy,

You've just encountered one of the largest and most difficultproblems in the IDS industry today: How to deal with the informationyou receive. There are numerous projects designed to present datastored by Snort in a more comprehensive way. You can check out thefollowing projects:


      ACID:  http://acidlab.sourceforge.net/

SnortSnarf:http://www.snort.org/dl/contrib/data_analysis/snortsnarf/

      Sguil:  http://sguil.sourceforge.net/

All are available for free, and all attempt to parse the data receivedfrom Snort in a way that's managable.Eliminating false positives is, I'm afraid, an unattainable goal.You can try to remove the most common ones you receive by modifying therules that snort uses, but remember that this will increase thepossibility of false negatives, or attacks that go unnoticed. I'd checkout the projects above before attempting to modify the rule files forSnort, and if you still have problems, consider that as a second option.


      --Graeme Connell

Jeremy Gonzales wrote:

Hi,

Does anyone have experience with snort reports? How do
you deal with the loads of information? Is there a way
to  generate reports that eliminate the false
positives? Any help will be appreciated.

Thanks,

Jeremy.



                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

Re: Snort vvaduva (Sep 30)
- <Possible follow-ups>
- Re: Snort Graeme Connell (Sep 30)
- RE: Snort Leon De France (Oct 01)
- Re: Snort Martin Roesch (Oct 01)
  - Re: Snort Alex Butcher, ISC/ISYS (Oct 04)
    - Re: Snort James Riden (Oct 05)
- RE: Snort Eric Hines (Oct 01)
- Re: Snort Raffael Marty (Oct 01)
- RE: Snort Phil Hollows (Oct 01)