False positives will vary from network to network. You can alter the rules to eliminate false positives you run into.
I wouldn't use the spyware rules unless you want Snort telling you everyone has Earthlink toolbar installed when they check their Earthlink ISP webmail. On Sat, Apr 4, 2009 at 8:22 AM, Timmmy <[email protected]> wrote: > > Hi everybody > I'm coupling an IDS with an expert system. I want to prove that this could > decrease the number of false positives. I chose Snort as an IDS. > Because of the huge number of signatures, I just want (for now) to take a > little set of signatures and design the expert system rules according to > theses signatures to work like an administrator would do (analyse logs, > monitor the alerts, know if it's a false positive or not, make decision). > So, what is in your opinion the right set of signatures to take (for > example, the signatures that generate a lot of false positives) ? > Thx! > -- > View this message in context: > http://www.nabble.com/Snort-with-an-expert-system-tp22881974p22881974.html > Sent from the IDS (Intrusion Detection System) mailing list archive at > Nabble.com. > > > >
