[Snort-users] Tuning snort for false positives.

Joel Esler (jesler) jesler at cisco.com
Wed Jan 3 15:22:43 EST 2018


Well, that would be first recommendation.  You’d want your firewall to block traffic that should not enter the network in the first place.  Snort should only analyze what gets through.  I bet if you did that your “false positive” rate would drop tremendously. (For UDP/ICMP)

I would seriously do that first, then come back and tell us what your alert load looks like, and we can make better recommendations aside from the standard “configure your HOME_NET and EXTERNAL_NET and shut off rules that do not pertain to your network” recommendations.


--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>






On Jan 3, 2018, at 3:19 PM, fatema bannatwala <fatema.bannatwala at gmail.com<mailto:fatema.bannatwala at gmail.com>> wrote:

Hmm, that would be harder to achieve because of our network architecture.
And would require lot of network redesigning, that I do see happening in near future, sadly.. :/

Thanks!

On Wed, Jan 3, 2018 at 3:14 PM, Joel Esler (jesler) <jesler at cisco.com<mailto:jesler at cisco.com>> wrote:
Step one would be to move them inside the firewall.  That should cut down on a ton of events I’d think.

--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>






On Jan 3, 2018, at 3:11 PM, fatema bannatwala <fatema.bannatwala at gmail.com<mailto:fatema.bannatwala at gmail.com>> wrote:

Thanks Joel for the response, and sharing the link to submit FPs.

Also, wanted to ask, if you could provide some leads in the direction of tuning snorts, would be helpful.


Thanks,
Fatema.

On Wed, Jan 3, 2018 at 2:56 PM, Joel Esler (jesler) <jesler at cisco.com<mailto:jesler at cisco.com>> wrote:
There are all kinds of methods to tuning Snort.  That being said, if you believe that 90% of your alerts are false positives, it would probably be beneficial to report those false positives to the rule writers.

Instructions to file a false positive report: Submit a False Positive<http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html>.


--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>






On Jan 3, 2018, at 2:23 PM, fatema bannatwala via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>> wrote:

Most of the time almost 90% of the alerts result in false positive, and is kind of time consuming





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180103/f414f07e/attachment-0001.html>


More information about the Snort-users mailing list