Snort mailing list archives

snort rule tuning and weeding out false positives

From: "Youngquist, Jason R." <jryoungquist () ccis edu>
Date: Thu, 17 Mar 2011 12:30:19 +0000

Hi.

I'm new to Snort and am trying to weed out false positives and ignore events that are purely informational.  I was 
wondering if anyone could recommend any good howtos/docs/methodology on how to go about Snort rule tuning.

For example, I have this rule, sid 17441, which is "CHAT MSN Messenger and Windows Live Messenger Code Execution 
attempt" and have gotten it several times from multiple student machines.  It appears that this was an issue back in 
2007 with Microsoft MSN Messenger 6.2, 7.0, and 7.5.  Right now,  Windows Live Messenger 2011 seems to be the current 
version.  So assuming that this is a false positive and I can ignore this rule.  Thoughts?

Thanks.
Jason Youngquist
Information Technology Security Engineer
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu<mailto:jryoungquist () ccis edu>
http://www.ccis.edu<http://www.ccis.edu/>

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Current thread:

snort rule tuning and weeding out false positives Youngquist, Jason R. (Mar 17)
- Re: snort rule tuning and weeding out false positives Alex Kirk (Mar 17)