Re: Proxy Servers generating false positives

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Well, I could see straight off the bat that you would be possibly giving up detection on attack responses and malware 
that is proxy-aware.  Most of the malware that gets past our perimeter (and detected by my various detection systems in 
place) is web-based that users are surfing to.

________________________________
From: Chan, Wilson [mailto:wchan () honolulu gov]
Sent: Friday, October 30, 2009 1:48 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Proxy Servers generating false positives

It seems that Snort is generating a lot of false positives for the web traffic heading to our internal proxy servers. 
Instead of creating thresholds/disabling sigs per alert does it make more sense to just use a BPF to filter out port 
8080 to our proxy servers? Is this standard practice or will I lose too much on the detection realm? What am I giving 
up? Thanks!


Wilson

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users