Focus on IDS
Snort with an expert system Apr 04 2009 12:22PM
Timmmy (bluesinblood gmail com) (1 replies)
Re: Snort with an expert system Apr 18 2009 03:07PM
Stephen Mullins (steve mullins work gmail com) (1 replies)
Re: Snort with an expert system Apr 20 2009 05:51PM
Martin Roesch (roesch sourcefire com)
I think the best way to reduce false positives is proactively at
tune-time. If you look into my rhetoric regarding "target-based" IDS
(and IPS) you'll see that I've been espousing a position where false
positives are an artifact of poorly tuned engines. You have two
options to try to rectify this issue:

1) Better tuning, preferably based on intelligence surrounding the
attributes of devices in the defended network and automation to bring
that info to the sensor technology.

2) Post-detection contextualization utilizing vulnerability mapping
and automated methods for assessing the relevance of events versus the
composition of the target that they're aimed at.

I think that method 1 is potentially stronger than 2 because it not
only reduces false positives, it also reduces false negatives by
reducing the informational disparity between the attacker and the
defending sensor technology.

Regarding your question, if you turn on any of the rule sets blindly
you're going to get a lot of noise (false positives) due to the lack
of tuning so to some degree they're all equally appropriate. Probably
choosing the rules that cover protocols you're most comfortable with
makes the most sense though so you can understand the nature of the
data they're generating.


On Sat, Apr 18, 2009 at 11:07 AM, Stephen Mullins
< (at) gmail (dot) com [email concealed]> wrote:
> False positives will vary from network to network.  You can alter the
> rules to eliminate false positives you run into.
> I wouldn't use the spyware rules unless you want Snort telling you
> everyone has Earthlink toolbar installed when they check their
> Earthlink ISP webmail.
> On Sat, Apr 4, 2009 at 8:22 AM, Timmmy <bluesinblood (at) gmail (dot) com [email concealed]> wrote:
>> Hi everybody
>> I'm coupling an IDS with an expert system. I want to prove that this could
>> decrease the number of false positives. I chose Snort as an IDS.
>> Because of the huge number of signatures, I just want (for now) to take a
>> little set of signatures and design the expert system rules according to
>> theses signatures to work like an administrator would do (analyse logs,
>> monitor the alerts, know if it's a false positive or not, make decision).
>> So, what is in your opinion the right set of signatures to take (for
>> example, the signatures that generate a lot of false positives) ?
>> Thx!
>> --
>> View this message in context:
>> Sent from the IDS (Intrusion Detection System) mailing list archive at

Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World -
Snort: Open Source IDP -

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus