Snort mailing list archives
RE: Common false positives
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Tue, 25 Feb 2003 11:30:46 -0600
There's lots of others that depend upon whether or not you actually have the software - yabb.pl, count.cgi, etc., etc. If you aren't running those things, why bother alerting on that noise. The internet is *full* of all sorts of extraneous noise that only affects you if you are actually running the software that the noise is aimed at. Here's how I started - I looked at the top fifteen sources and studied the kinds of alerts I was getting, and began eliminating those that I didn't care about. IIS rules that trigger from worm activity were commented out and replaced with "reverse" rules ($HOME_NET any -> $EXTERNAL_NET 80) because we only care about machines on our network that are infected, not about machines on the Internet. Etc., etc. There is no way to avoid the work of getting your IDS "tuned" to your network, and there's no formula that can do it for you. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ -----Original Message----- From: Matt Kettler [mailto:mkettler () EVI-INC COM] Sent: Tuesday, February 25, 2003 11:07 AM To: John Cherbini; snort-users () lists sourceforge net Subject: Re: [Snort-users] Common false positives Well, there's lots of common "non-issue" cases.. In general, your first hint should be to look at the classification of the rule that fired.. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Common false positives John Cherbini (Feb 25)
- Re: Common false positives Matt Kettler (Feb 25)
- Re: Common false positives Bennett Todd (Feb 25)
- <Possible follow-ups>
- RE: Common false positives Schmehl, Paul L (Feb 25)