How do I recognise false positive and false negatives alerts in IDS logs? (surricata, snort ..etc.)



  • Hi everyone,

    I have to write a python script that correlates IDS alerts but before I can do that my superior told me to code the calculation of an accuracy rate. However, I am just not sure how I can make that happen? How do I recognise false positive and false negative alerts? Any ideas?

    Anything will help, am kinda desperate... - Thanks!



  • @osxfactor said in How do I recognise false positive and false negatives alerts in IDS logs? (surricata, snort ..etc.):

    Hi everyone,

    I have to write a python script that correlates IDS alerts but before I can do that my superior told me to code the calculation of an accuracy rate. However, I am just not sure how I can make that happen? How do I recognise false positive and false negative alerts? Any ideas?

    Anything will help, am kinda desperate lol - Thanks!

    Google and search the posts on this forum is your friend!!!



  • Your human brain has to research the alerts, look at the underlying rules and their logic, examine your network topology and client make-up (types of OS, for example) and then use your noodle to figure out if a given alert is likely a false positive. As user @jdeloach stated, Google will be your friend in this endeavor.

    How do you think the system is going to figure out and flag a false positive for you? If it was smart enough to do that, it would be smart enough to not false positive in the first place ... ☺.


Log in to reply