[Snort-users] Re: "False postive" database idea

Brian bmc at ...950...
Tue Sep 23 11:18:11 EDT 2003


On Tue, Sep 23, 2003 at 12:34:30PM -0400, Anton Chuvakin wrote:
> Brian and all,
> 
> I suspect people monitoring lots of NIDS sensors start to have their own
> favorite "false positives". After I upped the number of snort sensors I
> run I started seeing lots of nice ones :-) And that made me think of a
> following idea:
> 
> Why can't we create a public database of "false positive" so that snort
> users everywhere can submit theirs and make life simple for everybody
> running snort?
> 
> For example, submission may take the form of 'Application X during auth
> phase always triggers snort alarm Y' or 'I keep seeing in my environment;
> here is the packet dump, here is the snort alert X which gets triggered'
> 
> I suspect implementing such an idea will optimize the snort rule
> development by a large margin.

Submit it as an update to the rule documentation.  There is a section
for false positives...

-brian




More information about the Snort-users mailing list