[Snort-users] Tuning snort for false positives.

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jan 3 15:28:17 EST 2018


Thanks Joel for the recommendations, will try to work on that.

Fatema.

On Wed, Jan 3, 2018 at 3:22 PM, Joel Esler (jesler) <jesler at cisco.com>
wrote:

> Well, that would be first recommendation.  You’d want your firewall to
> block traffic that should not enter the network in the first place.  Snort
> should only analyze what gets through.  I bet if you did that your “false
> positive” rate would drop tremendously. (For UDP/ICMP)
>
> I would seriously do that first, then come back and tell us what your
> alert load looks like, and we can make better recommendations aside from
> the standard “configure your HOME_NET and EXTERNAL_NET and shut off rules
> that do not pertain to your network” recommendations.
>
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler at cisco.com
>
>
>
>
>
>
> On Jan 3, 2018, at 3:19 PM, fatema bannatwala <fatema.bannatwala at gmail.com>
> wrote:
>
> Hmm, that would be harder to achieve because of our network architecture.
> And would require lot of network redesigning, that I do see happening in
> near future, sadly.. :/
>
> Thanks!
>
> On Wed, Jan 3, 2018 at 3:14 PM, Joel Esler (jesler) <jesler at cisco.com>
> wrote:
>
>> Step one would be to move them inside the firewall.  That should cut down
>> on a ton of events I’d think.
>>
>> *--*
>> *Joel Esler *| *Talos:* Manager | jesler at cisco.com
>>
>>
>>
>>
>>
>>
>> On Jan 3, 2018, at 3:11 PM, fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>>
>> Thanks Joel for the response, and sharing the link to submit FPs.
>>
>> Also, wanted to ask, if you could provide some leads in the direction of
>> tuning snorts, would be helpful.
>>
>>
>> Thanks,
>> Fatema.
>>
>> On Wed, Jan 3, 2018 at 2:56 PM, Joel Esler (jesler) <jesler at cisco.com>
>> wrote:
>>
>>> There are all kinds of methods to tuning Snort.  That being said, if you
>>> believe that 90% of your alerts are false positives, it would probably be
>>> beneficial to report those false positives to the rule writers.
>>>
>>> Instructions to file a false positive report: Submit a False Positive
>>> <http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html>
>>> .
>>>
>>>
>>> *--*
>>> *Joel Esler *| *Talos:* Manager | jesler at cisco.com
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Jan 3, 2018, at 2:23 PM, fatema bannatwala via Snort-users <
>>> snort-users at lists.snort.org> wrote:
>>>
>>> Most of the time almost 90% of the alerts result in false positive, and
>>> is kind of time consuming
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180103/6db6bad7/attachment.html>


More information about the Snort-users mailing list