<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
Step one would be to move them inside the firewall.  That should cut down on a ton of events I’d think.
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class=""><b style="font-family: Calibri, sans-serif; font-size: 10px;" class=""><font color="#5e5e5e" class="">--</font></b></div>
<div style="font-size: 14px;" class=""><b style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font color="#5e5e5e" class="">Joel Esler </font></b><span style="font-family: Calibri, sans-serif; font-size: 12px;" class="">| </span><b style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font color="#0096ff" class="">Talos:</font></b><span style="font-family: Calibri, sans-serif; font-size: 12px;" class=""> M</span><font color="#424242" style="font-family: Calibri, sans-serif; font-size: 12px;" class="">anager
 | <a href="mailto:jesler@cisco.com" class="">jesler@cisco.com</a></font></div>
<div class=""><font color="#424242" style="font-family: Calibri, sans-serif; font-size: 10px;" class=""><br class="">
</font></div>
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<div style=""><br class="">
<blockquote type="cite" class="">
<div class="">On Jan 3, 2018, at 3:11 PM, fatema bannatwala <<a href="mailto:fatema.bannatwala@gmail.com" class="">fatema.bannatwala@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">Thanks Joel for the response, and sharing the link to submit FPs.
<div class=""><br class="">
</div>
<div class="">Also, wanted to ask, if you could provide some leads in the direction of tuning snorts, would be helpful.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Fatema.</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Wed, Jan 3, 2018 at 2:56 PM, Joel Esler (jesler) <span dir="ltr" class="">
<<a href="mailto:jesler@cisco.com" target="_blank" class="">jesler@cisco.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space" class="">There are all kinds of methods to tuning Snort.  That being said, if you believe that 90% of your alerts are false positives, it would probably be beneficial to report those false positives
 to the rule writers.
<div class=""><br class="">
</div>
<div class=""><span style="font-stretch:normal;line-height:normal;font-family:"Lucida Grande"" class="">Instructions to file a false positive report: <a href="http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html" target="_blank" class="">Submit
 a False Positive</a>.  </span></div>
<div class=""><font face="Lucida Grande" class=""><br class="">
</font></div>
<div class=""><font face="Lucida Grande" class=""><br class="">
</font>
<div class="">
<div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class="">
<div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class="">
<div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class="">
<div class=""><b style="font-family:Calibri,sans-serif;font-size:10px" class=""><font color="#5e5e5e" class="">--</font></b></div>
<div style="font-size:14px" class=""><b style="font-family:Calibri,sans-serif;font-size:12px" class=""><font color="#5e5e5e" class="">Joel Esler </font></b><span style="font-family:Calibri,sans-serif;font-size:12px" class="">| </span><b style="font-family:Calibri,sans-serif;font-size:12px" class=""><font color="#0096ff" class="">Talos:</font></b><span style="font-family:Calibri,sans-serif;font-size:12px" class=""> M</span><font color="#424242" style="font-family:Calibri,sans-serif;font-size:12px" class="">anager
 | <a href="mailto:jesler@cisco.com" target="_blank" class="">jesler@cisco.com</a></font></div>
<div class=""><font color="#424242" style="font-family:Calibri,sans-serif;font-size:10px" class=""><br class="">
</font></div>
</div>
<br class="m_3980520704632162544Apple-interchange-newline">
</div>
<br class="m_3980520704632162544Apple-interchange-newline">
</div>
<br class="m_3980520704632162544Apple-interchange-newline">
<br class="m_3980520704632162544Apple-interchange-newline">
</div>
<span class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On Jan 3, 2018, at 2:23 PM, fatema bannatwala via Snort-users <<a href="mailto:snort-users@lists.snort.org" target="_blank" class="">snort-users@lists.snort.org</a>> wrote:</div>
<br class="m_3980520704632162544Apple-interchange-newline">
<div class=""><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important" class="">Most
 of the time almost 90% of the alerts result in false positive, and is kind of time consuming</span></div>
</blockquote>
</div>
<br class="">
</span></div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>