[Snort-users] "False postive" database idea

Anton Chuvakin anton at ...5376...
Tue Sep 23 09:36:04 EDT 2003


Brian and all,

I suspect people monitoring lots of NIDS sensors start to have their own
favorite "false positives". After I upped the number of snort sensors I
run I started seeing lots of nice ones :-) And that made me think of a
following idea:

Why can't we create a public database of "false positive" so that snort
users everywhere can submit theirs and make life simple for everybody
running snort?

For example, submission may take the form of 'Application X during auth
phase always triggers snort alarm Y' or 'I keep seeing in my environment;
here is the packet dump, here is the snort alert X which gets triggered'

I suspect implementing such an idea will optimize the snort rule
development by a large margin.

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org





More information about the Snort-users mailing list