[Snort-users] false positives in snort IDs

Ophir Rachman ophir at ...12437...
Mon Jan 3 10:07:05 EST 2005


Hi,
The problem of false positives is inherent in security products and is not
specific to Snort. In Snort it is a little emphasized since unlike
commercial products, the rules writers are not terrified with customers
complaining about false positives and therefore they simply write rules for
whatever is interesting. Commercial products extra careful bout that and
consequently do not get all the interesting information.

We in Securimine believe this problem will not go away and there is a need
to develop automatic tools that will overcome this problem. More than that,
we do not believe the solution is in the detection layer, but inn the data
analysis layer. Our company was founded to solve this problem and today we
are distributing a freeware software SFS (Securimine for Snort) that uses
baseline monitoring combined with data mining algorithms to help the Snort
users focus on the real issues and not on time consuming normal data that
triggers alerts.

More information can be found in www.securimine.com.

Regards,
The Securimine team.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Bob Konigsberg
Sent: Monday, January 03, 2005 8:05 AM
To: 'Juan B'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] false positives in snort IDs

I guess the first question I'd ask is: How much time have you already put
into identifying and classifying the false positives?

Simple example: If you're getting warnings about Apache and/or Microsoft web
servers, and you don't have any (meaning that all the servers in question
belong to someone else), then you should comment out the rulesets relating
to those functions.

A goodly part of this process is educating yourself and other staff about
what IS and what IS NOT normal and safe for your particular network.  Once
you know which is which, then you can tune the rules accordingly.

Bob


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Juan B
Sent: Monday, January 03, 2005 3:58 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] palse positives in snort IDs

Hi,

I am wondering about the false positives issue in Snort. I want to ask all
of you If some of you reached a point in your snort istallation, a point in
configuration that you dont recieve false positives at all? I mean that each
alert that you reicve is something intersting that you must know about? I am
really considaring trying another product beacuse of a heavy false positive
problem in Snort (Although im aware that all the products have the same
problem),I am reciving a lot of false poositives and I need to put a lot of
man power in this IDS, I think that Its not worth it.

thanks !!


		
__________________________________
Do you Yahoo!? 
All your favorites on one personal page  Try My Yahoo!
http://my.yahoo.com 


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004
 





More information about the Snort-users mailing list