IDS mailing list archives
RE: Snort
From: "Wozny, Scott (US - New York)" <swozny () deloitte com>
Date: Thu, 30 Sep 2004 12:47:34 -0400
There's no magic bullet to eliminate false positives. The solution surrounds understanding the traffic that is generating the false positive and tuning (or turning off) the signature as appropriate. Snort signatures are pretty flexible so you just need to read up and do some further analysis. If you're new to this I suggest an intrusion analysis course (I liked the SANS one, but that's not a plug) to help you better understand why traffic that isn't really a threat is being logged as such. Too many people out there turn on every signature they can without understanding what's applicable to their environment and then are overwhelmed with the amount of data (i.e. if you're an environment that forces browsing through proxies you shouldn't be alerting on proxy Web GETs). Reports don't take out your false positives. Not logging forensically uninteresting traffic takes out you false positives. Once you've done some tuning and are beginning to log only events of forensic interest THEN you should look at some correlation software. There are both open source and commercial software offerings that do this differently based upon your needs. Do some research and see what fits for the kinds of reports you need to generate. Hope this helps, Scott -----Original Message----- From: Jeremy Gonzales [mailto:jerdgonzales () yahoo com] Sent: Monday, September 27, 2004 5:09 PM To: focus-ids () securityfocus com Subject: Snort Hi, Does anyone have experience with snort reports? How do you deal with the loads of information? Is there a way to generate reports that eliminate the false positives? Any help will be appreciated. Thanks, Jeremy. __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------