Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: doubts about how many false positives exists

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 22 Apr 2004 17:24:54 -0400
At 03:37 PM 4/22/2004, Ernesto wrote:

I want to know how many false positives there are by
real positives. In other words which is the ratio of
false positives that we can find for each 100 real
positives on yours snort signature's data base. I hope
that you understand my question. I appreciate your
respond. Thanks
That ratio depends a lot on how you've set up your sensor. Definitions of HOME_NET and EXTERNAL_NET greatly change the noise level. It also varries greatly with where you place the sensor. 

For example, if I set up a snort box with a default set of rules:
Using "any" and "any" for HOME and EXTERNAL, placed monitoring a LAN core-switch, I'd expect about 100,000 false positives per 100 real positives (ie: about 1000:1 ratio)
However, a well defined HOME, and an EXTERNAL of !HOME, placed only monitoring my egress to the internet would likely be about 200 false alerts for every 100 real alerts (2:1 ratio). There would also be a lot of trivial and useless alerts for real attacks that aren't of any significant concern (ie: codered infection attempts, which never seem to die out, but all my servers are long since patched against it. Yes, I did get a codered infection attempt on 04/20/2004 from a machine in APNIC's 219/8 block.)
Some tuning can greatly improve either number. However, anyone with a ratio better than 1:20 (1 false per 20 real) is doing very well in tuning, or has restricted their ruleset to the point they are missing a significant number of real attacks that they would have otherwise caught. 


PD: I am Sorry for my English.


That's ok.




-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: