[Snort-users] Help to configure SNORT
mkettler at ...4108...
Wed Dec 24 07:27:07 EST 2003
At 05:00 PM 12/23/2003, Lorenzo Rossi wrote:
>Do you think is a god idea to have "evasion_alerts" enabled eaven if it
>cause lots of alerts?
Really what level of "false alarms" is acceptable is a function of how you
use snort and what you want from it.
Some people like snort to run pretty quiet, and only alert for very
suspicious things. This way, when snort fires they know they should pay
attention because something is likely to be wrong.
Others like snort to try to catch pretty much everything that's remotely
odd. This winds up generating a lot of false alarms and runs the risk of
having an important alert get overlooked because it's buried in a pile of
other alerts. However, it has the advantage of giving you a lot of extra
forensic data to work with in the event of an intrusion.
The evasion alerts are highly prone to false positive. At least 90% of the
evasion alerts will be false positives due to some broken tcp/ip stack.
They can be useful when tracking down a "what happened here" case after an
intrusion, but in and of themselves they cannot be considered a sign of
If you're the kind of person that wants lots of logging data, go ahead and
leave them on, but don't let them lull you into ignoring everything that
comes out of snort.
More information about the Snort-users