Re: [Snort-users] Help to configure SNORT

At 05:00 PM 12/23/2003, Lorenzo Rossi wrote:
>Do you think is a god idea to have "evasion_alerts" enabled eaven if it
>cause lots of alerts?

Really what level of "false alarms" is acceptable is a function of how you
use snort and what you want from it.

Some people like snort to run pretty quiet, and only alert for very
suspicious things. This way, when snort fires they know they should pay
attention because something is likely to be wrong.

Others like snort to try to catch pretty much everything that's remotely
odd. This winds up generating a lot of false alarms and runs the risk of
having an important alert get overlooked because it's buried in a pile of
other alerts. However, it has the advantage of giving you a lot of extra
forensic data to work with in the event of an intrusion.

The evasion alerts are highly prone to false positive. At least 90% of the
evasion alerts will be false positives due to some broken tcp/ip stack.
They can be useful when tracking down a "what happened here" case after an
intrusion, but in and of themselves they cannot be considered a sign of
attack.

If you're the kind of person that wants lots of logging data, go ahead and
leave them on, but don't let them lull you into ignoring everything that
comes out of snort.



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users