[Snort-sigs] Safe set of rules without false positives

Chris Green cmg at ...26...
Fri Sep 14 06:09:03 EDT 2001


Guus Zijlstra <guus.zijlstra at ...108...> writes:

> Is there a safe set of snort rules without known false positives?

Aside from things like "icmp echo reply", no.

IDS rules must be tailored for certain environments.  Lots of the
rules have very good contraints but there's always a false positive
possibility.

If you're looking for things to tie your pager, look at events that
are worth respoding to and do something based on postprocessing of
snort logs.

> Completeness is not the issue now. The point is to have a
> collection at all.

Just start commenting out rules you don't like and/or cause a huge
amount of false positive.  
-- 
Chris Green <cmg at ...26...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-sigs mailing list