[Snort-users] Filtering alerts

Richard Brackett rbrackett at ...10146...
Mon Sep 22 17:33:27 EDT 2003

Rather than disabling noisy rules (false positives) I've been using pass
rules to stop alerts to hosts that either aren't vulnerable to the
attack or the data is a false positive (I get a lot of those with the
Gnutella rule and HTTP/SMTP sessions). Is there another, better
methodology to use rather than pass? My Syngress Snort 2.0 book says you
shouldn't need to write many pass rules, but how the heck do you keep
the false positives and noise to an acceptable level? Do I have to go
buy a management system?

I'm using Snort 2.0.2 ACID and mysql on a SuSE 8.2 box.

More information about the Snort-users mailing list