[Snort-users] Fine tuning Snort
jlay at ...13475...
Thu Oct 7 12:26:19 EDT 2010
So I'm needing to fine tune snort a bit. I get a high amount of FP's on
Emails with .jpg's:
[1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable
Code was Detected]
exe downloads from Windows Updates:
[1:15306:4] WEB-CLIENT Portable Executable binary file transfer
[1:2000419:12] ET POLICY PE EXE or DLL Windows file download
I'd rather not just comment out these rules....what are other folks doing
to minimize FP's? Thank you.
More information about the Snort-users