Re: Re: How can I recognize Snort rules with high false positive rate?

[Ali Zand <ali.zand () gmail com>]

> The goal of IDS tuning is to reduce FPs to an acceptable level, while
> trying to avoid setting up your system for FNs.  This doesn't mean that
> I believe that there are never FNs--it just means that an operator
> should do everything possible to try and prevent them.
>
> Taking the "I don't care about FNs" approach to tuning will usually
> result in the operator carelessly disabling features and attack classes
> in the name of getting rid of FPs, which will serve the immediate
> purpose, but will likely result in a lot of missed legitimate detects as
> well.
>
> And when it all comes down to it, it's easy to dismiss FPs at the
> analyst's console.  That's cheap compared to 50 FNs that were missed
> because some entire attack class was slashed in the name or FP reduction.
I'm going to use Snort in combination with another IDS, and I want to
detect attacks which Snort supports but the IDS does not.
So considering :
1. having another IDS
2. having several FP messages on that IDS and having to process these
false messages
3. Very high false alerts will lessen analyst sensitivity, and he/she
will not care about them anymore.
I want to have just very accurate rules of Snort.
I'm trying just to strengthen my original IDS.

Thanks


-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users