[Snort-sigs] Accuracy of various snort rules

James Riden j.riden at ...1766...
Fri Apr 16 13:51:01 EDT 2004


Chintan Gosalia <chintan_cmpe at ...144...> writes:

>    Hi all,
>
>    I have seen various snort rules which are disabled by default. Can
>    anyone explain me the reason for them? Are they more vulnerable to
>    false positives?
>
>    I would also like to know as how i can find the accuracy of various
>    signatures in terms of false positives??

Um, run them and analyze the results. Every site is different I'm
afraid. You'll need a (knowledgeable) human to tell what's a false
positive and what's not.

I enabled everything by default (except porn rules I think), and then
tweaked or disabled rules which had too many false positives.

Tedious, but in the process you will probably learn a lot about your
network.

cheers,
 Jamie
-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





More information about the Snort-sigs mailing list