Re: Help to configure SNORT

[Matt Kettler <mkettler () evi-inc com>]

At 05:00 PM 12/23/2003, Lorenzo Rossi wrote:
> Do you think is a god idea to have "evasion_alerts" enabled eaven if it
> cause lots of alerts?

Really what level of "false alarms" is acceptable is a function of how you 
use snort and what you want from it.

Some people like snort to run pretty quiet, and only alert for very 
suspicious things. This way, when snort fires they know they should pay 
attention because something is likely to be wrong.

Others like snort to try to catch pretty much everything that's remotely 
odd. This winds up generating a lot of false alarms and runs the risk of 
having an important alert get overlooked because it's buried in a pile of 
other alerts. However, it has the advantage of giving you a lot of extra 
forensic data to work with in the event of an intrusion.

The evasion alerts are highly prone to false positive. At least 90% of the 
evasion alerts will be false positives due to some broken tcp/ip stack. 
They can be useful when tracking down a "what happened here" case after an 
intrusion, but in and of themselves they cannot be considered a sign of 
attack.

If you're the kind of person that wants lots of logging data, go ahead and 
leave them on, but don't let them lull you into ignoring everything that 
comes out of snort.



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users