[Snort-users] False Positives

Colin Wu wucolin at ...2181...
Wed Jun 13 14:05:09 EDT 2001

Hello fellow Snorters,

I have snort/SnortSnarf setup and running fairly smoothly for about a
week now and have really enjoyed looking at all the alerts, warnings,
etc and following up on some of them.  When I first installed snort I
used the entire rules set from whitehat and generated an alert file that
was over 32M in the first hour (did I mention I have a /16 network?).
Since then I have trimmed down a lot of the false positives until now
I'm only getting 400 - 500 per hour, on average.  I feel that if I
trimmed anymore I'm going to start missing the real alerts.  What's more
we had a real intrusion recently - a machine was actually compromised -
and I missed it because the initial probe and actual attack were buried
in all the false positives.  When the sysadmin came and asked about a
specific machine at a specific time I was able to say "Yes, this is how
it was done", but that's like the old cliche about the run-away horse
and the barn door.

I also can't afford to spend my entire day looking at snort logs, which
is what it basically takes now.

So my question basically is: how to you folks handle the false
positives?  Is 4 - 500 per hour reasonable in a university environment?
Should I be looking into SPADE next?

Thanks for your feedback.

   __     _             _            Network Analyst
  /  )   //            ' )   /       Computing & Information Services
 /    __|/  o ____      / / / . .    McMaster University
(__/ (_) \_<_/ / <_    (_(_/ (_/_    (905)525-9140 ext 24050

More information about the Snort-users mailing list