Re: Snort with an expert system

[Stephen Mullins <steve.mullins.work () gmail com>]

False positives will vary from network to network.  You can alter the
rules to eliminate false positives you run into.

I wouldn't use the spyware rules unless you want Snort telling you
everyone has Earthlink toolbar installed when they check their
Earthlink ISP webmail.

On Sat, Apr 4, 2009 at 8:22 AM, Timmmy <bluesinblood () gmail com> wrote:
> Hi everybody
> I'm coupling an IDS with an expert system. I want to prove that this could
> decrease the number of false positives. I chose Snort as an IDS.
> Because of the huge number of signatures, I just want (for now) to take a
> little set of signatures and design the expert system rules according to
> theses signatures to work like an administrator would do (analyse logs,
> monitor the alerts, know if it's a false positive or not, make decision).
> So, what is in your opinion the right set of signatures to take (for
> example, the signatures that generate a lot of false positives) ?
> Thx!
> --
> View this message in context: http://www.nabble.com/Snort-with-an-expert-system-tp22881974p22881974.html
> Sent from the IDS (Intrusion Detection System) mailing list archive at Nabble.com.