RE: Snort
From: Wozny, Scott (US - New York) (swozny_at_deloitte.com)
Date: 09/30/04
- Previous message: Alex Butcher, ISC/ISYS: "Re: Snort"
- Next in thread: Bénoni MARTIN: "RE: Snort"
- Maybe reply: Bénoni MARTIN: "RE: Snort"
- Maybe reply: Leon De France: "RE: Snort"
- Maybe reply: Phil Hollows: "RE: Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Sep 2004 12:47:34 -0400 To: "Jeremy Gonzales" <jerdgonzales@yahoo.com>, <focus-ids@securityfocus.com>
There's no magic bullet to eliminate false positives. The solution
surrounds understanding the traffic that is generating the false
positive and tuning (or turning off) the signature as appropriate.
Snort signatures are pretty flexible so you just need to read up and do
some further analysis. If you're new to this I suggest an intrusion
analysis course (I liked the SANS one, but that's not a plug) to help
you better understand why traffic that isn't really a threat is being
logged as such. Too many people out there turn on every signature they
can without understanding what's applicable to their environment and
then are overwhelmed with the amount of data (i.e. if you're an
environment that forces browsing through proxies you shouldn't be
alerting on proxy Web GETs). Reports don't take out your false
positives. Not logging forensically uninteresting traffic takes out you
false positives.
Once you've done some tuning and are beginning to log only events of
forensic interest THEN you should look at some correlation software.
There are both open source and commercial software offerings that do
this differently based upon your needs. Do some research and see what
fits for the kinds of reports you need to generate.
Hope this helps,
Scott
-----Original Message-----
From: Jeremy Gonzales [mailto:jerdgonzales@yahoo.com]
Sent: Monday, September 27, 2004 5:09 PM
To: focus-ids@securityfocus.com
Subject: Snort
Hi,
Does anyone have experience with snort reports? How do
you deal with the loads of information? Is there a way
to generate reports that eliminate the false
positives? Any help will be appreciated.
Thanks,
Jeremy.
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
------------------------------------------------------------------------
-- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: Alex Butcher, ISC/ISYS: "Re: Snort"
- Next in thread: Bénoni MARTIN: "RE: Snort"
- Maybe reply: Bénoni MARTIN: "RE: Snort"
- Maybe reply: Leon De France: "RE: Snort"
- Maybe reply: Phil Hollows: "RE: Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
