[Snort-users] Fine tuning Snort

James Lay jlay at ...13475...
Thu Oct 7 12:26:19 EDT 2010

Hello All.

So I'm needing to fine tune snort a bit.  I get a high amount of FP's on
things like:

Emails with .jpg's:
[1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable
Code was Detected]

exe downloads from Windows Updates:
[1:15306:4] WEB-CLIENT Portable Executable binary file transfer
[1:2000419:12] ET POLICY PE EXE or DLL Windows file download

I'd rather not just comment out these rules....what are other folks doing
to minimize FP's?  Thank you.


More information about the Snort-users mailing list