[Snort-users] Tuning snort for false positives.

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jan 3 15:19:24 EST 2018


Hmm, that would be harder to achieve because of our network architecture.
And would require lot of network redesigning, that I do see happening in
near future, sadly.. :/

Thanks!

On Wed, Jan 3, 2018 at 3:14 PM, Joel Esler (jesler) <jesler at cisco.com>
wrote:

> Step one would be to move them inside the firewall.  That should cut down
> on a ton of events I’d think.
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler at cisco.com
>
>
>
>
>
>
> On Jan 3, 2018, at 3:11 PM, fatema bannatwala <fatema.bannatwala at gmail.com>
> wrote:
>
> Thanks Joel for the response, and sharing the link to submit FPs.
>
> Also, wanted to ask, if you could provide some leads in the direction of
> tuning snorts, would be helpful.
>
>
> Thanks,
> Fatema.
>
> On Wed, Jan 3, 2018 at 2:56 PM, Joel Esler (jesler) <jesler at cisco.com>
> wrote:
>
>> There are all kinds of methods to tuning Snort.  That being said, if you
>> believe that 90% of your alerts are false positives, it would probably be
>> beneficial to report those false positives to the rule writers.
>>
>> Instructions to file a false positive report: Submit a False Positive
>> <http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html>
>> .
>>
>>
>> *--*
>> *Joel Esler *| *Talos:* Manager | jesler at cisco.com
>>
>>
>>
>>
>>
>>
>> On Jan 3, 2018, at 2:23 PM, fatema bannatwala via Snort-users <
>> snort-users at lists.snort.org> wrote:
>>
>> Most of the time almost 90% of the alerts result in false positive, and
>> is kind of time consuming
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180103/41318fab/attachment.html>


More information about the Snort-users mailing list