Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: False alerts

From: Steve Hutchins <Steve.Hutchins () optimation co nz>
Date: Thu, 20 Dec 2001 09:51:04 +1300
You missed the point!

The article's main point (regardless of which
IDS) was that until the problem of false alerts
is addressed, adoption by less technically
skilled people will be slow. This is not new
news!

I'm not sure what Marty's goals were when he
started development of snort, but I guess being
the best IDS and most usable might have been on
his list.
Although I think that snort is the best IDS, 
the biggest problem I have to deal with when
installing it for customers, is the reduction
of noise from false alerts. They are not usually
capable or willing to handle this themselves.
But the more user friendly it becomes, they might
change their mind.

With the ridiculous cost of other IDS products,
there is a definite trend (from where I am) of
people wanting an alternative lower cost solution,
such as snort.
If snort is to stand out from the other 
products in the usability and manageability factors,
then this false alert problem is a prime area to
be addressed. I'm sure that the other IDS vendors
are actively looking to solve this issue.

I just proposed an idea. It may suck for some people,
but at least it was an idea.
I didn't see anything in your response that adds
any value to the subject!
In fact, all I saw in your response was an attempt
to justify why snort should remain too technical
for the masses. Maybe this is an insecurity you
have for your job, I don't know. 

Your type of response does more damage than good.
Other people on the list see this type of flame,
and are put off sending in their own questions
and ideas in the event of someone like yourself
putting them down. What's more, by the time all
the mud flinging has taken place, the original
concept or question is usually forgotten because
people are already sick of the subject.

When I said "Yep, knew I shouldn't have bothered!"
I was anticipating the usual non-helpful responses
that people like yourself send, which I have to
waste my time in responding to.

You might have noticed that at the bottom of my
post, I said "Anyone done something along this line?"
I said that for a reason, responses like "go for it"
are all fine, except they don't tell me if someone
else is already doing it!

-----Original Message-----
From: John Sage [mailto:jsage () finchhaven com]
Sent: Wednesday, 19 December 2001 2:07 p.m.
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] False alerts


umm..



Yep, knew I shouldn't have bothered!



As to whether "you should have bothered", perhaps you might more 
reasonably have anticipated the responses you received.


First, aside from the fact that the article at the Reg never mentions 
snort by name, the tone of the article suggests that the actual topic is 
canned, big vendor, proprietary solutions that are installed when:

"...business managers buy IDS systems (often on the advice of auditors 
or consultants) without committing to the people and resources needed to 
make the technology work, or having a managed services firm maintain an 
installation."


I would be willing to bet that this is hardly *ever* the context under 
which snort is installed and used.


Second, when you say:

"...a configuration wizard that presents a list of O/S and apps..."

the term "wizard" alone conjures up a Window$-style approach that many 
are trying to get/stay away from: the blind use of wizards and other 
front ends with checkboxes and radio buttons that do something to some 
configuration file somewhere, all the while the user remaining 
blissfully unaware of what is *actually* happening, and why.


Third, the very nature of snort is such that, as with most open source 
software, when a major new direction is proposed (and particularily when 
it's proposed with a "...*you* could..." directive) a common response 
will likely be:

"Yeah? Cool.. do it!"

which in fact someone almost literally said.


So IMO it's not that you shouldn't have bothered, it's just that you 
shouldn't be quite so surprised.

(Which, considering the phrasing of your response, I don't *really* 
think you were...)


- John

--
Computers: they're really just nothing but l's and O's



Steve Hutchins wrote:


Yep, knew I shouldn't have bothered!

-----Original Message-----
From: Phil Wood [mailto:cpw () lanl gov]
Sent: Wednesday, 19 December 2001 11:11 a.m.
To: Steve Hutchins
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] False alerts


And while your at it, have snort nmap -O all the systems on $HOME_NET 
and with the abundant info returned, answer the questions itself, and
go on its merry way, leaving the satisfied customer oblivous.

On Wed, Dec 19, 2001 at 10:18:27AM +1300, Steve Hutchins wrote:


Reading article: http://www.theregister.co.uk/content/55/23420.html

I wondered why snort couldn't come with
the ability or tool that asks which categories of
systems are in use on the network to be monitored.
So for example, you could spark up a configuration
wizard that presents a list of O/S and apps, then
removes the rules that don't apply to that environment.
Obviously, this would mean specific tagging of rules.
Anyone done something along this line? 

Obviously us 'techies' wouldn't use such a tool :O)

Steve

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users








_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: