IDS mailing list archives

Re: Snort

From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Wed, 29 Sep 2004 10:52:51 +0100

--On 27 September 2004 14:09 -0700 Jeremy Gonzales <jerdgonzales () yahoo com>wrote:

Does anyone have experience with snort reports? How do
you deal with the loads of information? Is there a way
to  generate reports that eliminate the false
positives? Any help will be appreciated.


1) Tune your rules to eliminate false positives

2) Tune classification of rules (e.g. add new, more specific,classifications and use them appropriately)

3) Tune priority of classifications
4) Only report on priority 1 events.

Oinkmaster is useful for part 3, as you can use modifysid to change theclasstype based on part of the message (e.g. 'P2P' or 'CHAT').

Thanks,
Jeremy.


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

Snort Jeremy Gonzales (Sep 30)
- Re: Snort Alex Butcher, ISC/ISYS (Sep 30)
- Re: Snort SuxxToBe (Sep 30)
- Re: Snort Ron Gula (Sep 30)
- Re: Snort Jose Maria Lopez (Sep 30)
- <Possible follow-ups>
- RE: Snort Wozny, Scott (US - New York) (Sep 30)
- RE: Snort Bénoni MARTIN (Sep 30)