[Snort-users] Fine tuning Snort

James Lay jlay at ...13475...
Thu Oct 7 12:26:19 EDT 2010


Hello All.

So I'm needing to fine tune snort a bit.  I get a high amount of FP's on
things like:

Emails with .jpg's:
[1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable
Code was Detected]

exe downloads from Windows Updates:
[1:15306:4] WEB-CLIENT Portable Executable binary file transfer
[1:2000419:12] ET POLICY PE EXE or DLL Windows file download

I'd rather not just comment out these rules....what are other folks doing
to minimize FP's?  Thank you.

James






More information about the Snort-users mailing list