Will deploying Snort detect malicious events quickly?

About the author
Richard Bejtlich is director of incident response at General Electric Company in Manassas, Va. and blogs at Bejtlich.net and TaoSecurity.com. Listen to the rest of Richard's answers on Snort by downloading our Snort podcast.

Operators can expect to find something interesting on just about any network segment they care to monitor. Unfortunately, deploying a new instance of Snort with a full complement of active rules will produce more alerts than the average operator is willing to tolerate. Please note that these alerts are not false positives. A real false positive happens when an operator instructs Snort to identify a certain type of traffic and Snort reports seeing it -- when it didn't happen. If an operator tells Snort to alert every time it sees the string "http", the resulting alerts are not false positives. They are the results of the operator's choices.

This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: