[Snort-sigs] Safe set of rules without false positives
cmg at ...26...
Fri Sep 14 06:09:03 EDT 2001
Guus Zijlstra <guus.zijlstra at ...108...> writes:
> Is there a safe set of snort rules without known false positives?
Aside from things like "icmp echo reply", no.
IDS rules must be tailored for certain environments. Lots of the
rules have very good contraints but there's always a false positive
If you're looking for things to tie your pager, look at events that
are worth respoding to and do something based on postprocessing of
> Completeness is not the issue now. The point is to have a
> collection at all.
Just start commenting out rules you don't like and/or cause a huge
amount of false positive.
Chris Green <cmg at ...26...>
Laugh and the world laughs with you, snore and you sleep alone.
More information about the Snort-sigs