Re: [Snort-users] How can I recognize Snort rules with high false
This is a discussion on Re: [Snort-users] How can I recognize Snort rules with high false within the Snort forums, part of the System Security and Security Related category; > In my network, low false positive rate is very more important than low > false negative rate. Ummm, I ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-18-2004
|
|||
|
|||
Re: [Snort-users] How can I recognize Snort rules with high false
> In my network, low false positive rate is very more important than low
> false negative rate. Ummm, I think you have it backwards. False positives suck, but they can be dealt with. False negatives mean that attacks are bypassing the sensor without detection. If you don't mind false negatives, you're wasting your time running an IDS. > I need someway to classify Snort rules to "with low false positive > rate" and "with high false positive rate" categories. > How can I recognize these rules? No one but you can tell. Analysts determine false positives by looking at alert data in the context of their own environments, and determining which attacks are being caused by known valid traffic. > Does Snort rules' "classtype" and "priority" indicate their "false > positive(or negative) rate"? No. See above. The classtype indicates a type or class of attack, such as privilege escalation. Priority indicates the pre-assigned severity of the attack. For instance, a ping sweep would have a lower priority that a buffer overflow, because one returns information to the attacker, and one give the attacker root. > If yes, how? > If no, how can I get some information about this? I would recommend checking out Network Intrusion Detection by Novak and Northcutt. I think you're a little off base with the point if the system itself, and the analysts role in making the final determination between harmless and malicious detects. ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
