[Snort-users] doubts about how many false positives exists
mkettler at ...4108...
Thu Apr 22 14:26:02 EDT 2004
At 03:37 PM 4/22/2004, Ernesto wrote:
>I want to know how many false positives there are by
>real positives. In other words which is the ratio of
>false positives that we can find for each 100 real
>positives on yours snort signature's data base. I hope
>that you understand my question. I appreciate your
That ratio depends a lot on how you've set up your sensor. Definitions of
HOME_NET and EXTERNAL_NET greatly change the noise level. It also varries
greatly with where you place the sensor.
For example, if I set up a snort box with a default set of rules:
Using "any" and "any" for HOME and EXTERNAL, placed monitoring a LAN
core-switch, I'd expect about 100,000 false positives per 100 real
positives (ie: about 1000:1 ratio)
However, a well defined HOME, and an EXTERNAL of !HOME, placed only
monitoring my egress to the internet would likely be about 200 false alerts
for every 100 real alerts (2:1 ratio). There would also be a lot of trivial
and useless alerts for real attacks that aren't of any significant concern
(ie: codered infection attempts, which never seem to die out, but all my
servers are long since patched against it. Yes, I did get a codered
infection attempt on 04/20/2004 from a machine in APNIC's 219/8 block.)
Some tuning can greatly improve either number. However, anyone with a ratio
better than 1:20 (1 false per 20 real) is doing very well in tuning, or has
restricted their ruleset to the point they are missing a significant number
of real attacks that they would have otherwise caught.
>PD: I am Sorry for my English.
More information about the Snort-users