Snort with an expert system




Hi everybody
I'm coupling an IDS with an expert system. I want to prove that this could
decrease the number of false positives. I chose Snort as an IDS.
Because of the huge number of signatures, I just want (for now) to take a
little set of signatures and design the expert system rules according to
theses signatures to work like an administrator would do (analyse logs,
monitor the alerts, know if it's a false positive or not, make decision).
So, what is in your opinion the right set of signatures to take (for
example, the signatures that generate a lot of false positives) ?
Thx!
--
View this message in context: http://www.nabble.com/Snort-with-an-expert-system-tp22881974p22881974.html
Sent from the IDS (Intrusion Detection System) mailing list archive at Nabble.com.



Relevant Pages

  • Re: Current IDS problems
    ... But false positives are induced in by the researchers ... support, to digest those signatures. ... should be ideal signature to stop blah blah attack, ... implementation or researchers and not actually in IDS ...
    (Focus-IDS)
  • Re: "false positive" inanity
    ... What Im trying to get across here is a revision to the IDS methodology. ... context to address the problem of false positives. ... post-event correlation by means of parsing through log files. ... Whereas some IDS vendors actually brag about how many signatures their ...
    (Focus-IDS)
  • Re: Snort with an expert system
    ... False positives will vary from network to network. ... I'm coupling an IDS with an expert system. ... little set of signatures and design the expert system rules according to ...
    (Focus-IDS)
  • Re: Snort with an expert system
    ... I think the best way to reduce false positives is proactively at ... I'm coupling an IDS with an expert system. ... little set of signatures and design the expert system rules according to ...
    (Focus-IDS)
  • RE: False Positives
    ... There isn't an IDS system that will not report "false positives" ... tools are not actually attacking but testing, and they report an attack, ... > IntruShield now offers unprecedented Intrusion IntelligenceTM ...
    (Focus-IDS)