Re: Snort

From: Graeme Connell (gconnell_at_middlebury.edu)
Date: 09/30/04

  • Next message: Julius Detritus: "RE: Radware DefensePro vs McAfee Intrushield vs TippingPoint UnityOne"
    Date: Thu, 30 Sep 2004 13:04:24 -0400
    To: Jeremy Gonzales <jerdgonzales@yahoo.com>
    
    

    Jeremy,
        You've just encountered one of the largest and most difficult
    problems in the IDS industry today: How to deal with the information
    you receive. There are numerous projects designed to present data
    stored by Snort in a more comprehensive way. You can check out the
    following projects:

           ACID: http://acidlab.sourceforge.net/
           SnortSnarf:
    http://www.snort.org/dl/contrib/data_analysis/snortsnarf/
           Sguil: http://sguil.sourceforge.net/

    All are available for free, and all attempt to parse the data received
    from Snort in a way that's managable.
        Eliminating false positives is, I'm afraid, an unattainable goal.
    You can try to remove the most common ones you receive by modifying the
    rules that snort uses, but remember that this will increase the
    possibility of false negatives, or attacks that go unnoticed. I'd check
    out the projects above before attempting to modify the rule files for
    Snort, and if you still have problems, consider that as a second option.

           --Graeme Connell

    Jeremy Gonzales wrote:

    >Hi,
    >
    >Does anyone have experience with snort reports? How do
    >you deal with the loads of information? Is there a way
    >to generate reports that eliminate the false
    >positives? Any help will be appreciated.
    >
    >Thanks,
    >
    >Jeremy.
    >
    >
    >
    >
    >__________________________________
    >Do you Yahoo!?
    >Yahoo! Mail - 50x more storage than other providers!
    >http://promotions.yahoo.com/new_mail
    >
    >--------------------------------------------------------------------------
    >Test Your IDS
    >
    >Is your IDS deployed correctly?
    >Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    >--------------------------------------------------------------------------
    >
    >
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------


  • Next message: Julius Detritus: "RE: Radware DefensePro vs McAfee Intrushield vs TippingPoint UnityOne"

    Relevant Pages

    • Re: Value of "richer" signatures?
      ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
      (Focus-IDS)
    • RE: IDS ISS
      ... Have had several years experience with ISS. ... Sourcefire is doing some very interesting and innovative work with snort ... Subject: IDS ISS ... > Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Re: ids inquisition
      ... Subject: ids inquisition ... Snort isn't one of them. ... Brian Caswell - CSV output plugin, ... Christian Lademann - active response, ...
      (Focus-IDS)
    • RE: IDS recommendations
      ... Subject: IDS recommendations ... Snort is a relatively raw tool and that usually adds ... >> I can appreciate your comments on the ISS product. ...
      (Focus-IDS)
    • RE: "Free" IDS
      ... I am very surprised noone mentioned Demarc PureSecure IDS solution. ... It cost less than 2000.00 and it runs off of the snort engine and has a big ... if you want to learn snort then just read up on it. ...
      (Focus-IDS)