[Snort-sigs] Ultimate Rule List

Greg Powell gpowell at ...1523...
Mon May 19 07:48:29 EDT 2003


In theory is there an ultimate rule set that could be written to reduce
false positives? I am trying to understand if most of the current rules are
written to catch as many intrusions as possible by using a small set of
rules. Does anyone see it as possible to write a large set of rules that
could limit the number of false positives?

My assumptions are that some false positives are generated by the fact that
the rules are too loose. I would like to be the first to indicate that I may
be wrong in this assumption (so let me know if this is not the case). If
this is true then could there be some larger set of more refined rules that
would better block each intrusion?

I do understand that there may be a cpu/memory consumption trade off but I
am not sure I understand how large that impact would be.

Greg





More information about the Snort-sigs mailing list