[Snort-users] false positives Mit lincoln laboratory and snort signatures

Negin Nickparsa nickparsa at ...11827...
Thu Aug 9 06:43:29 EDT 2012

hello Dear Snort users

I tested the darpa dataset 1999 with snort,I wrote an algorithm to cluster
alarms and now I need to know which of the alarms are false positives
so as to update the snort rules manually.this is just my thesis and I know
the snort usually has exact rules.
I want to look at the attacks of darpa and if snort Identifies an attack
which darpa didn't have it assume the alarm as false positive.
I couldn't match the signatures of snort with attacks of darpa dataset

would you please tell me how to map the signatures to attacks?
I mean is there any file in snort which I can find the descriptions?

Thanks in Advance.

[image: Inline image 1]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120809/7f7d547e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 309410 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120809/7f7d547e/attachment.png>

More information about the Snort-users mailing list