[Snort-users] Help to configure SNORT

Matt Kettler mkettler at ...4108...
Wed Dec 24 07:27:07 EST 2003

At 05:00 PM 12/23/2003, Lorenzo Rossi wrote:
>Do you think is a god idea to have "evasion_alerts" enabled eaven if it
>cause lots of alerts?

Really what level of "false alarms" is acceptable is a function of how you 
use snort and what you want from it.

Some people like snort to run pretty quiet, and only alert for very 
suspicious things. This way, when snort fires they know they should pay 
attention because something is likely to be wrong.

Others like snort to try to catch pretty much everything that's remotely 
odd. This winds up generating a lot of false alarms and runs the risk of 
having an important alert get overlooked because it's buried in a pile of 
other alerts. However, it has the advantage of giving you a lot of extra 
forensic data to work with in the event of an intrusion.

The evasion alerts are highly prone to false positive. At least 90% of the 
evasion alerts will be false positives due to some broken tcp/ip stack. 
They can be useful when tracking down a "what happened here" case after an 
intrusion, but in and of themselves they cannot be considered a sign of 

If you're the kind of person that wants lots of logging data, go ahead and 
leave them on, but don't let them lull you into ignoring everything that 
comes out of snort.

More information about the Snort-users mailing list