Get started Bring yourself up to speed with our introductory content.

Will deploying Snort detect malicious events quickly?

The number of alerts Snort provides when it is set up on a network depends on the number and scope of the configuration rules that are established. These are not to be considered false positives.

About the author
Richard Bejtlich is director of incident response at General Electric Company in Manassas, Va. and blogs at and Listen to the rest of Richard's answers on Snort by downloading our Snort podcast.

Operators can expect to find something interesting on just about any network segment they care to monitor. Unfortunately, deploying a new instance of Snort with a full complement of active rules will produce more alerts than the average operator is willing to tolerate. Please note that these alerts are not false positives. A real false positive happens when an operator instructs Snort to identify a certain type of traffic and Snort reports seeing it -- when it didn't happen. If an operator tells Snort to alert every time it sees the string "http", the resulting alerts are not false positives. They are the results of the operator's choices.

This was last published in January 2008

Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.