Snort mailing list archives
Filtering alerts
From: "Richard Brackett" <rbrackett () securityvolition com>
Date: Mon, 22 Sep 2003 20:32:40 -0400
Rather than disabling noisy rules (false positives) I've been using pass rules to stop alerts to hosts that either aren't vulnerable to the attack or the data is a false positive (I get a lot of those with the Gnutella rule and HTTP/SMTP sessions). Is there another, better methodology to use rather than pass? My Syngress Snort 2.0 book says you shouldn't need to write many pass rules, but how the heck do you keep the false positives and noise to an acceptable level? Do I have to go buy a management system? I'm using Snort 2.0.2 ACID and mysql on a SuSE 8.2 box. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Filtering alerts Richard Brackett (Sep 22)
- Re: Filtering alerts Geoff (Sep 22)
- <Possible follow-ups>
- RE: Filtering alerts Richard Brackett (Sep 22)
- RE: Filtering alerts Erek Adams (Sep 23)
- RE: Filtering alerts Richard Brackett (Sep 23)
- RE: Filtering alerts Erek Adams (Sep 23)
- RE: Filtering alerts Richard Brackett (Sep 23)
- RE: Filtering alerts Marc Quibell (Sep 23)