Re: Snort
From: Graeme Connell (gconnell_at_middlebury.edu)
Date: 09/30/04
- Previous message: Joseph Hamm: "RE: IDS Sensor operation"
- Maybe in reply to: Alex Butcher, ISC/ISYS: "Re: Snort"
- Next in thread: Martin Roesch: "Re: Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Sep 2004 13:04:24 -0400 To: Jeremy Gonzales <jerdgonzales@yahoo.com>
Jeremy,
You've just encountered one of the largest and most difficult
problems in the IDS industry today: How to deal with the information
you receive. There are numerous projects designed to present data
stored by Snort in a more comprehensive way. You can check out the
following projects:
ACID: http://acidlab.sourceforge.net/
SnortSnarf:
http://www.snort.org/dl/contrib/data_analysis/snortsnarf/
Sguil: http://sguil.sourceforge.net/
All are available for free, and all attempt to parse the data received
from Snort in a way that's managable.
Eliminating false positives is, I'm afraid, an unattainable goal.
You can try to remove the most common ones you receive by modifying the
rules that snort uses, but remember that this will increase the
possibility of false negatives, or attacks that go unnoticed. I'd check
out the projects above before attempting to modify the rule files for
Snort, and if you still have problems, consider that as a second option.
--Graeme Connell
Jeremy Gonzales wrote:
>Hi,
>
>Does anyone have experience with snort reports? How do
>you deal with the loads of information? Is there a way
>to generate reports that eliminate the false
>positives? Any help will be appreciated.
>
>Thanks,
>
>Jeremy.
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Yahoo! Mail - 50x more storage than other providers!
>http://promotions.yahoo.com/new_mail
>
>--------------------------------------------------------------------------
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
>--------------------------------------------------------------------------
>
>
>
>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
- Previous message: Joseph Hamm: "RE: IDS Sensor operation"
- Maybe in reply to: Alex Butcher, ISC/ISYS: "Re: Snort"
- Next in thread: Martin Roesch: "Re: Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
