Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: false positives in snort IDs

From: "Bob Konigsberg" <bobkberg () networkeval com>
Date: Mon, 3 Jan 2005 08:05:07 -0800
I guess the first question I'd ask is: How much time have you already put
into identifying and classifying the false positives?

Simple example: If you're getting warnings about Apache and/or Microsoft web
servers, and you don't have any (meaning that all the servers in question
belong to someone else), then you should comment out the rulesets relating
to those functions.

A goodly part of this process is educating yourself and other staff about
what IS and what IS NOT normal and safe for your particular network.  Once
you know which is which, then you can tune the rules accordingly.

Bob


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Juan B
Sent: Monday, January 03, 2005 3:58 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] palse positives in snort IDs

Hi,

I am wondering about the false positives issue in Snort. I want to ask all
of you If some of you reached a point in your snort istallation, a point in
configuration that you dont recieve false positives at all? I mean that each
alert that you reicve is something intersting that you must know about? I am
really considaring trying another product beacuse of a heavy false positive
problem in Snort (Although im aware that all the products have the same
problem),I am reciving a lot of false poositives and I need to put a lot of
man power in this IDS, I think that Its not worth it.

thanks !!


                
__________________________________
Do you Yahoo!? 
All your favorites on one personal page  Try My Yahoo!
http://my.yahoo.com 


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: