[Snort-users] false positives Mit lincoln laboratory and snort signatures

Jefferson, Shawn Shawn.Jefferson at ...14448...
Mon Aug 13 12:27:07 EDT 2012


You want us to teach you how to be a Security Analyst?


1.     Look at the attacks from the DARPA dataset (they must be described somewhere, somehow?)

2.     Grep for the rule that fired in you rules file and see what it was looking for in the network traffic.

3.     Review all the links associated with the rule.

4.     Correlate all your information.

5.     Profit.

Simple!



From: Negin Nickparsa [mailto:nickparsa at ...11827...]
Sent: Thursday, August 09, 2012 3:43 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] false positives Mit lincoln laboratory and snort signatures

hello Dear Snort users

I tested the darpa dataset 1999 with snort,I wrote an algorithm to cluster alarms and now I need to know which of the alarms are false positives
so as to update the snort rules manually.this is just my thesis and I know the snort usually has exact rules.
I want to look at the attacks of darpa and if snort Identifies an attack which darpa didn't have it assume the alarm as false positive.
I couldn't match the signatures of snort with attacks of darpa dataset

would you please tell me how to map the signatures to attacks?
I mean is there any file in snort which I can find the descriptions?


Thanks in Advance.

[cid:image001.png at ...15752...]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120813/6be8fb49/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 309410 bytes
Desc: image001.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120813/6be8fb49/attachment.png>


More information about the Snort-users mailing list