Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » False SNORT alerts and making sence of the data

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

False SNORT alerts and making sence of the data


Posted by amd599 on March 23, 2005 14:05:47

Is there any indepth guides on how to make sence of all this data? And what is the best way to capture the most attacks (what is the syntax/options I should be using) I'm new to SNORT and I'm using BASE as the front-end. I am having trouble making out what all of the data means. I've had it up and running for 2 days and have recived 668 alerts, obv. not all of these are actually attacks of any sort.

How do I
interpret what is an "actual" threat or what is a false alarm. I've had
it up for 2 days now and it works great, but in those 2 days I have
about 600 alerts. There are also a lot of SNMP Public access UDP alerts,
is that normal? I mean out of 600 alerts about 450 are those SNMP
occurances. Is there any formal documentation on how to interpret this
data so I can show my company that it is doing what it is supposed to?

Posted by novowels on March 26, 2005 12:26:23

get the syngress book "Snort 2.1 Intrusion Detection" or take the SANS class.

http://www.snort.org/external/?url=http://www.amazon.com/exec/obidos/tg/detail/-/1931836043/
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.