Snort mailing list archives
False Positives
From: Colin Wu <wucolin () mcmaster ca>
Date: Wed, 13 Jun 2001 14:05:09 -0400
Hello fellow Snorters, I have snort/SnortSnarf setup and running fairly smoothly for about a week now and have really enjoyed looking at all the alerts, warnings, etc and following up on some of them. When I first installed snort I used the entire rules set from whitehat and generated an alert file that was over 32M in the first hour (did I mention I have a /16 network?). Since then I have trimmed down a lot of the false positives until now I'm only getting 400 - 500 per hour, on average. I feel that if I trimmed anymore I'm going to start missing the real alerts. What's more we had a real intrusion recently - a machine was actually compromised - and I missed it because the initial probe and actual attack were buried in all the false positives. When the sysadmin came and asked about a specific machine at a specific time I was able to say "Yes, this is how it was done", but that's like the old cliche about the run-away horse and the barn door. I also can't afford to spend my entire day looking at snort logs, which is what it basically takes now. So my question basically is: how to you folks handle the false positives? Is 4 - 500 per hour reasonable in a university environment? Should I be looking into SPADE next? Thanks for your feedback. -- __ _ _ Network Analyst / ) // ' ) / Computing & Information Services / __|/ o ____ / / / . . McMaster University (__/ (_) \_<_/ / <_ (_(_/ (_/_ (905)525-9140 ext 24050 http://netman.McMaster.CA _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False Positives Colin Wu (Jun 13)