Will deploying Snort detect malicious events quickly?

The number of alerts Snort provides when it is set up on a network depends on the number and scope of the configuration rules that are established. These are not to be considered false positives.

About the author
Richard Bejtlich is director of incident response at General Electric Company in Manassas, Va. and blogs at Bejtlich.net and TaoSecurity.com. Listen to the rest of Richard's answers on Snort by downloading our Snort podcast.

Operators can expect to find something interesting on just about any network segment they care to monitor. Unfortunately, deploying a new instance of Snort with a full complement of active rules will produce more alerts than the average operator is willing to tolerate. Please note that these alerts are not false positives. A real false positive happens when an operator instructs Snort to identify a certain type of traffic and Snort reports seeing it -- when it didn't happen. If an operator tells Snort to alert every time it sees the string "http", the resulting alerts are not false positives. They are the results of the operator's choices.

This was last published in January 2008

Dig Deeper on Application security and data protection

PRO+

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close