Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Snort

from [Wozny, Scott (US - New York)] Network Security [Permanent Link]
Subject: RE: Snort
Date: Thu, 30 Sep 2004 12:47:34 -0400 
There's no magic bullet to eliminate false positives.  The solution
surrounds understanding the traffic that is generating the false
positive and tuning (or turning off) the signature as appropriate.
Snort signatures are pretty flexible so you just need to read up and do
some further analysis.  If you're new to this I suggest an intrusion
analysis course (I liked the SANS one, but that's not a plug) to help
you better understand why traffic that isn't really a threat is being
logged as such.  Too many people out there turn on every signature they
can without understanding what's applicable to their environment and
then are overwhelmed with the amount of data (i.e. if you're an
environment that forces browsing through proxies you shouldn't be
alerting on proxy Web GETs).  Reports don't take out your false
positives.  Not logging forensically uninteresting traffic takes out you
false positives.

Once you've done some tuning and are beginning to log only events of
forensic interest THEN you should look at some correlation software.
There are both open source and commercial software offerings that do
this differently based upon your needs.  Do some research and see what
fits for the kinds of reports you need to generate.

Hope this helps,

Scott


-----Original Message-----
From: Jeremy Gonzales [mailto:jerdgonzales@yahoo.com] 
Sent: Monday, September 27, 2004 5:09 PM
To: focus-ids@securityfocus.com
Subject: Snort


Hi,

Does anyone have experience with snort reports? How do
you deal with the loads of information? Is there a way
to  generate reports that eliminate the false
positives? Any help will be appreciated.

Thanks,

Jeremy.



                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--




This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law.  If 
you are not the intended recipient, you should delete this message.  Any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, is strictly prohibited.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Snort, Alex Butcher, ISC/ISYS
Next by Date:  Radware DefensePro vs McAfee Intrushield vs TippingPoint UnityOne, Jochen Vogel
Previous by Thread:  Re: Snort, Graeme Connell
Next by Thread:  RE: Snort, Bénoni MARTIN
Indexes:  [Date] [Thread] [Top] [All Lists]