Fwd: Tuning snort for false positives.

[fatema bannatwala via Snort-users <snort-users () lists snort org>]

sent it to snort-users () lists sourceforge net before, looks like this is the
right one to forward to.


Hi,

I have been struggling for past couple of months in tuning our snort
deployment to produce some
valuable alerts that we can take action on.
Most of the time almost 90% of the alerts result in false positive, and is
kind of time consuming
investigating each and every alert without knowing if it's legit or not.

Hence, finally thought to ask snort community here, so that we can get most
value out of our snort deployment, and if people can share their recipes to
tune down snort , then that would be great help.

We have two snort sensors deployed in the production capturing all the
network traffic ~10gbps link,
sitting OUTSIDE our network firewall (i.e. traffic hits the sensors first
before hitting the firewalls).
And it generates tens of thousands of alerts every day, making it almost a
full-time job to just go through the alerts to find a needle in the hay
stack.

We are using ET and VRT rule sets with almost ~25K rules enabled.
I also have followed couple of online guides to tune the snort config by
setting HOME_VAR and other configurable IP address range (like for DNS
servers, http servers etc), but it didn't help much and still getting lots
of alerts.

Anything that could be done for tuning down the snorts more, so that we can
get some real actionable items?

P.S we are using snort 2.9.9.0, if that matters.

Thanks,
Fatema.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette