Re: "False postive" database idea

[Brian <bmc () snort org>]

On Tue, Sep 23, 2003 at 12:34:30PM -0400, Anton Chuvakin wrote:
> Brian and all,
>
> I suspect people monitoring lots of NIDS sensors start to have their own
> favorite "false positives". After I upped the number of snort sensors I
> run I started seeing lots of nice ones :-) And that made me think of a
> following idea:
>
> Why can't we create a public database of "false positive" so that snort
> users everywhere can submit theirs and make life simple for everybody
> running snort?
>
> For example, submission may take the form of 'Application X during auth
> phase always triggers snort alarm Y' or 'I keep seeing in my environment;
> here is the packet dump, here is the snort alert X which gets triggered'
>
> I suspect implementing such an idea will optimize the snort rule
> development by a large margin.

Submit it as an update to the rule documentation.  There is a section
for false positives...

-brian


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users