RE: Common false positives

["Schmehl, Paul L" <pauls () utdallas edu>]

There's lots of others that depend upon whether or not you actually have
the software - yabb.pl, count.cgi, etc., etc.  If you aren't running
those things, why bother alerting on that noise.  The internet is *full*
of all sorts of extraneous noise that only affects you if you are
actually running the software that the noise is aimed at.

Here's how I started - I looked at the top fifteen sources and studied
the kinds of alerts I was getting, and began eliminating those that I
didn't care about.  IIS rules that trigger from worm activity were
commented out and replaced with "reverse" rules ($HOME_NET any ->
$EXTERNAL_NET 80) because we only care about machines on our network
that are infected, not about machines on the Internet.  Etc., etc.

There is no way to avoid the work of getting your IDS "tuned" to your
network, and there's no formula that can do it for you.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/



-----Original Message-----
From: Matt Kettler [mailto:mkettler () EVI-INC COM] 
Sent: Tuesday, February 25, 2003 11:07 AM
To: John Cherbini; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Common false positives


Well, there's lots of common "non-issue" cases..

In general, your first hint should be to look at the classification of
the 
rule that fired..


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users