RE: Snort

From: Bénoni MARTIN (Benoni.MARTIN_at_libertis.ga)
Date: 09/30/04

  • Next message: Ron Gula: "Re: Snort" 
    Date: Thu, 30 Sep 2004 17:20:41 +0100
To: "Jeremy Gonzales" <jerdgonzales@yahoo.com>

    I am afraid there is no way to get rid of ALL the false positives !

    When I was dealing with IDS some two years ago, I configured two identical Snorts, one stayed with the default config, and the second one was tunned (by editing snort config file and changing the alerts when necessary) day after day, attack after attack, alert after alert ... to finally get to a well-tuned IDS.

    Some IDS are better than others as they will give you less false positives, but with an open source as Snort, you will have some work to do tunning it before having an reliable IDS ...

    HTH :)

    -----Message d'origine-----
    De : Jeremy Gonzales [mailto:jerdgonzales@yahoo.com]
    Envoyé : lundi 27 septembre 2004 22:09
    À : focus-ids@securityfocus.com
    Objet : Snort

    Hi,

    Does anyone have experience with snort reports? How do you deal with the loads of information? Is there a way to generate reports that eliminate the false positives? Any help will be appreciated.

    Thanks,

    Jeremy.

                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Mail - 50x more storage than other providers!
    http://promotions.yahoo.com/new_mail

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Ron Gula: "Re: Snort"

    Relevant Pages

    • RE: False Positives
      ... There isn't an IDS system that will not report "false positives" ... tools are not actually attacking but testing, and they report an attack, ... > IntruShield now offers unprecedented Intrusion IntelligenceTM ...
      (Focus-IDS)
    • False positives, negatives and dont cares
      ... Just following up the "IDS is dead, etc" thread, I thought I'd lay out ... False positives happen when the IDS ... attacks heading to targets that aren't vulnerable to them. ... that Snort generates "tons of false positives". ...
      (Focus-IDS)
    • Re: Snot/state
      ... but not eliminate false positives by enabling this feature. ... > maintaining what the IDS considers state, ... maybe the ultimate IDS is only going to alert me to things that I ... they handle quite a few attacks - attacks that they are well aware of. ...
      (Focus-IDS)
    • RE: Best Method(s) for signature verifcation.
      ... if the IDS is trying to be "smart" it may not listen on ports ... listening in order to get the IDS to see an attack. ... > Subject: Re: Best Methodfor signature verifcation. ... > false positives ...
      (Focus-IDS)
    • RE: Truth about False Positives
      ... Subject: Truth about False Positives ... When using any kind of IDS wether it is host or network based first thing to ... defining false positives & false alarms, and what steps we are taking to ... algorithms into having the most comprehensive set of IDS attack algorithms. ...
      (Focus-IDS)