Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Snort

from [Graeme Connell] Network Security [Permanent Link]
Subject: Re: Snort
Date: Thu, 30 Sep 2004 13:04:24 -0400
Jeremy,
You've just encountered one of the largest and most difficult problems in the IDS industry today: How to deal with the information you receive. There are numerous projects designed to present data stored by Snort in a more comprehensive way. You can check out the following projects:

ACID: http://acidlab.sourceforge.net/
SnortSnarf: http://www.snort.org/dl/contrib/data_analysis/snortsnarf/
Sguil: http://sguil.sourceforge.net/

All are available for free, and all attempt to parse the data received from Snort in a way that's managable.
Eliminating false positives is, I'm afraid, an unattainable goal. You can try to remove the most common ones you receive by modifying the rules that snort uses, but remember that this will increase the possibility of false negatives, or attacks that go unnoticed. I'd check out the projects above before attempting to modify the rule files for Snort, and if you still have problems, consider that as a second option.

      --Graeme Connell

Jeremy Gonzales wrote:

Hi,

Does anyone have experience with snort reports? How do
you deal with the loads of information? Is there a way
to  generate reports that eliminate the false
positives? Any help will be appreciated.

Thanks,

Jeremy.



                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------





--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IDS Sensor operation, Joseph Hamm
Next by Date:  RE: Radware DefensePro vs McAfee Intrushield vs TippingPoint UnityOne, Julius Detritus
Previous by Thread:  Re: Snort, vvaduva
Next by Thread:  RE: Snort, Wozny, Scott (US - New York)
Indexes:  [Date] [Thread] [Top] [All Lists]