[Snort-users] doubts about how many false positives exists

Matt Kettler mkettler at ...4108...
Thu Apr 22 14:26:02 EDT 2004

At 03:37 PM 4/22/2004, Ernesto wrote:
>I want to know how many false positives there are by
>real positives. In other words which is the ratio of
>false positives that we can find for each 100 real
>positives on yours snort signature's data base. I hope
>that you understand my question. I appreciate your
>respond. Thanks

That ratio depends a lot on how you've set up your sensor. Definitions of 
HOME_NET and EXTERNAL_NET greatly change the noise level. It also varries 
greatly with where you place the sensor.

For example, if I set up a snort box with a default set of rules:

Using "any" and "any" for HOME and EXTERNAL, placed monitoring a LAN 
core-switch, I'd expect about 100,000 false positives per 100 real 
positives (ie: about 1000:1 ratio)

However, a well defined HOME, and an EXTERNAL of !HOME, placed only 
monitoring my egress to the internet would likely be about 200 false alerts 
for every 100 real alerts (2:1 ratio). There would also be a lot of trivial 
and useless alerts for real attacks that aren't of any significant concern 
(ie: codered infection attempts, which never seem to die out, but all my 
servers are long since patched against it. Yes, I did get a codered 
infection attempt on 04/20/2004 from a machine in APNIC's 219/8 block.)

Some tuning can greatly improve either number. However, anyone with a ratio 
better than 1:20 (1 false per 20 real) is doing very well in tuning, or has 
restricted their ruleset to the point they are missing a significant number 
of real attacks that they would have otherwise caught.

>PD: I am Sorry for my English.

That's ok.

More information about the Snort-users mailing list