[Snort-users] False Positives
wucolin at ...2181...
Wed Jun 13 14:05:09 EDT 2001
Hello fellow Snorters,
I have snort/SnortSnarf setup and running fairly smoothly for about a
week now and have really enjoyed looking at all the alerts, warnings,
etc and following up on some of them. When I first installed snort I
used the entire rules set from whitehat and generated an alert file that
was over 32M in the first hour (did I mention I have a /16 network?).
Since then I have trimmed down a lot of the false positives until now
I'm only getting 400 - 500 per hour, on average. I feel that if I
trimmed anymore I'm going to start missing the real alerts. What's more
we had a real intrusion recently - a machine was actually compromised -
and I missed it because the initial probe and actual attack were buried
in all the false positives. When the sysadmin came and asked about a
specific machine at a specific time I was able to say "Yes, this is how
it was done", but that's like the old cliche about the run-away horse
and the barn door.
I also can't afford to spend my entire day looking at snort logs, which
is what it basically takes now.
So my question basically is: how to you folks handle the false
positives? Is 4 - 500 per hour reasonable in a university environment?
Should I be looking into SPADE next?
Thanks for your feedback.
__ _ _ Network Analyst
/ ) // ' ) / Computing & Information Services
/ __|/ o ____ / / / . . McMaster University
(__/ (_) \_<_/ / <_ (_(_/ (_/_ (905)525-9140 ext 24050
More information about the Snort-users