General ruleset tweaking and testing resources
From: Darren Spruell (darren_spruell_at_sento.com)
Date: 06/23/04
- Previous message: Adam Powers: "Re: possible causes of source and destination ip from external network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Jun 2004 16:54:07 -0600 To: focus-ids@securityfocus.com
We're rolling out a new IDS implementation. Undoubtably there are going
to be far too many alerts to deal with initially, but we want to put a
lot of focus on reducing false positives and tweaking our sensors for
accuracy.
Our current IDS implementation is prelude-ids, which uses a lot of Snort
rules and other types as well.
Are there general best practices for ruleset optimization? And can
someone suggest good strategies for tweaking Snort and/or Prelude rules
to minimize false positives?
TIA
-- DS --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Adam Powers: "Re: possible causes of source and destination ip from external network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
