I think the best way to reduce false positives is proactively at tune-time. If you look into my rhetoric regarding "target-based" IDS (and IPS) you'll see that I've been espousing a position where false positives are an artifact of poorly tuned engines. You have two options to try to rectify this issue:
1) Better tuning, preferably based on intelligence surrounding the attributes of devices in the defended network and automation to bring that info to the sensor technology. 2) Post-detection contextualization utilizing vulnerability mapping and automated methods for assessing the relevance of events versus the composition of the target that they're aimed at. I think that method 1 is potentially stronger than 2 because it not only reduces false positives, it also reduces false negatives by reducing the informational disparity between the attacker and the defending sensor technology. Regarding your question, if you turn on any of the rule sets blindly you're going to get a lot of noise (false positives) due to the lack of tuning so to some degree they're all equally appropriate. Probably choosing the rules that cover protocols you're most comfortable with makes the most sense though so you can understand the nature of the data they're generating. Marty On Sat, Apr 18, 2009 at 11:07 AM, Stephen Mullins <[email protected]> wrote: > False positives will vary from network to network. You can alter the > rules to eliminate false positives you run into. > > I wouldn't use the spyware rules unless you want Snort telling you > everyone has Earthlink toolbar installed when they check their > Earthlink ISP webmail. > > On Sat, Apr 4, 2009 at 8:22 AM, Timmmy <[email protected]> wrote: >> >> Hi everybody >> I'm coupling an IDS with an expert system. I want to prove that this could >> decrease the number of false positives. I chose Snort as an IDS. >> Because of the huge number of signatures, I just want (for now) to take a >> little set of signatures and design the expert system rules according to >> theses signatures to work like an administrator would do (analyse logs, >> monitor the alerts, know if it's a false positive or not, make decision). >> So, what is in your opinion the right set of signatures to take (for >> example, the signatures that generate a lot of false positives) ? >> Thx! >> -- >> View this message in context: >> http://www.nabble.com/Snort-with-an-expert-system-tp22881974p22881974.html >> Sent from the IDS (Intrusion Detection System) mailing list archive at >> Nabble.com. >> >> >> >> > > > -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org
