[Snort-users] "False postive" database idea
anton at ...5376...
Tue Sep 23 09:36:04 EDT 2003
Brian and all,
I suspect people monitoring lots of NIDS sensors start to have their own
favorite "false positives". After I upped the number of snort sensors I
run I started seeing lots of nice ones :-) And that made me think of a
Why can't we create a public database of "false positive" so that snort
users everywhere can submit theirs and make life simple for everybody
For example, submission may take the form of 'Application X during auth
phase always triggers snort alarm Y' or 'I keep seeing in my environment;
here is the packet dump, here is the snort alert X which gets triggered'
I suspect implementing such an idea will optimize the snort rule
development by a large margin.
Anton A. Chuvakin, Ph.D., GCI*
More information about the Snort-users