| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: 4.6 What about all Up: 4 Rules and Alerts Previous: 4.4 Does snort see
4.5 I'm getting large amounts of 
some alerts type
. What should I do? Where can I go to find out more about it?
Some rules are more prone to producing false positives than others. This often varies between networks. You first need to determine if it is indeed a false positive. Some rules are referenced with ID numbers. The following are some common identification systems, and where to go to find more information about a particular alert.
| System | Example | URL |
| IDS | IDS182 | http://www.whitehats.com/IDS/182 |
| CVE | CVE-2000-0138 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138 |
| Bugtraq | BugtraqID 1 | http://www.securityfocus.com/vdb/bottom.html?vid=1 |
| McAfee | Mcafee 10225 | http://vil.nai.com/vil/dispVirus.asp?virus_k=10225 |
| Nessus | Nessus 11073 | http://cgi.nessus.org/plugins/dump.php3?id=11073 |
It may be necessary to examine the packet payload to determine if the alert is a false positive. The packet payload is logged using the -d option. If you determine the alerts are false positives, you may want to write pass rules for machines that are producing a large number of them. If the rule is producing an unmanageable amount of false positives from a number of different machines, you could pass on the rule for all traffic. This should be used as a last resort.
Next: 4.6 What about all Up: 4 Rules and Alerts Previous: 4.4 Does snort see Nigel Houghton 2006-10-02
| site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |