[Snort-users] alert.ids and False positive tuning.

Brian Bartlett bbartlett at ...4564...
Tue Jan 15 06:36:08 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello gang,

I'm new to this list as of last week so this question may be
redundant. At the risk of starting a religious war I have been
playing with the WIN32 port of snort since September. I started with
just the simple command line version and have slowly added more of
the wiz bang enhancements as I went.  I am presently running 3
sensors. One is just the basic command line version alerting through
IDSCenter on my broadband connection at home. The others are the
win32 MYSQL compile on windows 2000 on my laptop and a test server at
work. I have installed and configured ACID on  IIS 5.0 and the win32
release of Apache. I am using textPad IDSCenter and IDS Policy
Manager (ActiveWorx) as configuration tools. Through the months of
testing I have kept the original alert.ids file current with all the
data gathered by both sensors. Obviously this is not the ideal place
to keep this info. Which leads me to my questions.
1.	Is there a tool or command line to parse this info into my MYSQL
database (I'm not a SQL guru but have dabbled and am not afraid of
SQL scripts :-) )?
2.	This one is more general but once I have all this info into the db
I can at least look at it with ACID and start to see trends. What are
the "Best Practices" for tuning my rules based on my data to reduce
false positives and then modify alerting to include email and/or
pager support? 
3.	I am using NmapNT and Netcat for NT to scan and probe my sensors
to produce alerts. Any other neat tools I should be using to tune the
rules?
4.	My home Network and laptop have a software firewall installed on
them. Will this affect the sensors installed on these PCs? If I
understand the WinPcap docs this driver lies beneath the IP stack and
should see the packets before the firewall does, correct?

Thanks in advance for any help.

Brian D. Bartlett


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPEQ+FeOzNZ0qnGDoEQLg7gCgx95RSrijlwJwuaIEnkpNFw6PSr0AoL7i
J8aI9JElFPL8txrlE4kyuCJo
=2Dzi
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list