Filtering alerts

["Richard Brackett" <rbrackett () securityvolition com>]

Rather than disabling noisy rules (false positives) I've been using pass
rules to stop alerts to hosts that either aren't vulnerable to the
attack or the data is a false positive (I get a lot of those with the
Gnutella rule and HTTP/SMTP sessions). Is there another, better
methodology to use rather than pass? My Syngress Snort 2.0 book says you
shouldn't need to write many pass rules, but how the heck do you keep
the false positives and noise to an acceptable level? Do I have to go
buy a management system?

I'm using Snort 2.0.2 ACID and mysql on a SuSE 8.2 box.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users