[Snort-sigs] Accuracy of various snort rules
j.riden at ...1766...
Fri Apr 16 13:51:01 EDT 2004
Chintan Gosalia <chintan_cmpe at ...144...> writes:
> Hi all,
> I have seen various snort rules which are disabled by default. Can
> anyone explain me the reason for them? Are they more vulnerable to
> false positives?
> I would also like to know as how i can find the accuracy of various
> signatures in terms of false positives??
Um, run them and analyze the results. Every site is different I'm
afraid. You'll need a (knowledgeable) human to tell what's a false
positive and what's not.
I enabled everything by default (except porn rules I think), and then
tweaked or disabled rules which had too many false positives.
Tedious, but in the process you will probably learn a lot about your
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
More information about the Snort-sigs