IDS mailing list archives

RE: Snort

From: "Wozny, Scott (US - New York)" <swozny () deloitte com>
Date: Thu, 30 Sep 2004 12:47:34 -0400

There's no magic bullet to eliminate false positives.  The solution
surrounds understanding the traffic that is generating the false
positive and tuning (or turning off) the signature as appropriate.
Snort signatures are pretty flexible so you just need to read up and do
some further analysis.  If you're new to this I suggest an intrusion
analysis course (I liked the SANS one, but that's not a plug) to help
you better understand why traffic that isn't really a threat is being
logged as such.  Too many people out there turn on every signature they
can without understanding what's applicable to their environment and
then are overwhelmed with the amount of data (i.e. if you're an
environment that forces browsing through proxies you shouldn't be
alerting on proxy Web GETs).  Reports don't take out your false
positives.  Not logging forensically uninteresting traffic takes out you
false positives.

Once you've done some tuning and are beginning to log only events of
forensic interest THEN you should look at some correlation software.
There are both open source and commercial software offerings that do
this differently based upon your needs.  Do some research and see what
fits for the kinds of reports you need to generate.

Hope this helps,

Scott


-----Original Message-----
From: Jeremy Gonzales [mailto:jerdgonzales () yahoo com] 
Sent: Monday, September 27, 2004 5:09 PM
To: focus-ids () securityfocus com
Subject: Snort


Hi,

Does anyone have experience with snort reports? How do
you deal with the loads of information? Is there a way
to  generate reports that eliminate the false
positives? Any help will be appreciated.

Thanks,

Jeremy.



                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--




This message (including any attachments) contains confidential information intended for a specific individual and 
purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.  Any 
disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

Snort Jeremy Gonzales (Sep 30)
- Re: Snort Alex Butcher, ISC/ISYS (Sep 30)
- Re: Snort SuxxToBe (Sep 30)
- Re: Snort Ron Gula (Sep 30)
- Re: Snort Jose Maria Lopez (Sep 30)
- <Possible follow-ups>
- RE: Snort Wozny, Scott (US - New York) (Sep 30)
- RE: Snort Bénoni MARTIN (Sep 30)