RE: Tuning snort palse positives

["Ron Jenkins" <rjenkins () dibr net>]

Just a note.

 

Most all IDS solutions will yield False Positives.  The false positive
will usually be high in number especially if you are monitoring web
traffic from inside to the public.  

 

If you are going to introduce an IDS solution (any type), you will need
to spend time baselining your environment to trim the alert types that
base serve you.

 

 

Thanks...

 

________________________________

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Juan
Fernandez
Sent: Sunday, January 09, 2005 4:34 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Tuning snort palse positives

 

Hi,

 

I wanted to ask all of you if you reached a point in snort installation
in which there aren't any false positives or negative alerts.

 

It seems that snort can't be reliable in 100% and I will always receive
wrong alerts....

 

Does any of you receive just real alerts (just alerts that indicate
penetration or attempt to penetrate the network? ).

 

I'm starting to think that snort doesn't worth all the energy and hours
im spending on it.

 

Thanks !!