Focus on IDS
Snort with an expert system Apr 04 2009 12:22PM
Timmmy (bluesinblood gmail com) (1 replies)
Re: Snort with an expert system Apr 18 2009 03:07PM
Stephen Mullins (steve mullins work gmail com) (1 replies)
False positives will vary from network to network. You can alter the
rules to eliminate false positives you run into.

I wouldn't use the spyware rules unless you want Snort telling you
everyone has Earthlink toolbar installed when they check their
Earthlink ISP webmail.

On Sat, Apr 4, 2009 at 8:22 AM, Timmmy <bluesinblood (at) gmail (dot) com [email concealed]> wrote:
> Hi everybody
> I'm coupling an IDS with an expert system. I want to prove that this could
> decrease the number of false positives. I chose Snort as an IDS.
> Because of the huge number of signatures, I just want (for now) to take a
> little set of signatures and design the expert system rules according to
> theses signatures to work like an administrator would do (analyse logs,
> monitor the alerts, know if it's a false positive or not, make decision).
> So, what is in your opinion the right set of signatures to take (for
> example, the signatures that generate a lot of false positives) ?
> Thx!
> --
> View this message in context:
> Sent from the IDS (Intrusion Detection System) mailing list archive at

[ reply ]
Re: Snort with an expert system Apr 20 2009 05:51PM
Martin Roesch (roesch sourcefire com)


Privacy Statement
Copyright 2010, SecurityFocus