Re: Tuning snort for false positives.

[fatema bannatwala via Snort-users <snort-users () lists snort org>]

Hmm, that would be harder to achieve because of our network architecture.
And would require lot of network redesigning, that I do see happening in
near future, sadly.. :/

Thanks!

On Wed, Jan 3, 2018 at 3:14 PM, Joel Esler (jesler) <jesler () cisco com>
wrote:

> Step one would be to move them inside the firewall.  That should cut down
> on a ton of events I’d think.
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler () cisco com
>
>
>
>
>
>
> On Jan 3, 2018, at 3:11 PM, fatema bannatwala <fatema.bannatwala () gmail com>
> wrote:
>
> Thanks Joel for the response, and sharing the link to submit FPs.
>
> Also, wanted to ask, if you could provide some leads in the direction of
> tuning snorts, would be helpful.
>
>
> Thanks,
> Fatema.
>
> On Wed, Jan 3, 2018 at 2:56 PM, Joel Esler (jesler) <jesler () cisco com>
> wrote:
>
> > There are all kinds of methods to tuning Snort.  That being said, if you
> > believe that 90% of your alerts are false positives, it would probably be
> > beneficial to report those false positives to the rule writers.
> >
> > Instructions to file a false positive report: Submit a False Positive
> > <http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html>
> > .
> >
> >
> > *--*
> > *Joel Esler *| *Talos:* Manager | jesler () cisco com
> >
> >
> >
> >
> >
> >
> > On Jan 3, 2018, at 2:23 PM, fatema bannatwala via Snort-users <
> > snort-users () lists snort org> wrote:
> >
> > Most of the time almost 90% of the alerts result in false positive, and
> > is kind of time consuming
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette