Operators can expect to find something interesting on just about any network segment they care to monitor. Unfortunately, deploying a new instance of Snort with a full complement of active rules will produce more alerts than the average operator is willing to tolerate. Please note that these alerts are not false positives. A real false positive happens when an operator instructs Snort to identify a certain type of traffic and Snort reports seeing it -- when it didn't happen. If an operator tells Snort to alert every time it sees the string "http", the resulting alerts are not false positives. They are the results of the operator's choices.
This was first published in January 2008