IDS mailing list archives
Re: Snort
From: Graeme Connell <gconnell () middlebury edu>
Date: Thu, 30 Sep 2004 13:04:24 -0400
Jeremy,You've just encountered one of the largest and most difficult problems in the IDS industry today: How to deal with the information you receive. There are numerous projects designed to present data stored by Snort in a more comprehensive way. You can check out the following projects:
ACID: http://acidlab.sourceforge.net/SnortSnarf: http://www.snort.org/dl/contrib/data_analysis/snortsnarf/
Sguil: http://sguil.sourceforge.net/All are available for free, and all attempt to parse the data received from Snort in a way that's managable. Eliminating false positives is, I'm afraid, an unattainable goal. You can try to remove the most common ones you receive by modifying the rules that snort uses, but remember that this will increase the possibility of false negatives, or attacks that go unnoticed. I'd check out the projects above before attempting to modify the rule files for Snort, and if you still have problems, consider that as a second option.
--Graeme Connell Jeremy Gonzales wrote:
Hi, Does anyone have experience with snort reports? How do you deal with the loads of information? Is there a way to generate reports that eliminate the false positives? Any help will be appreciated. Thanks, Jeremy. __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Snort vvaduva (Sep 30)