How do I recognise false positive and false negatives alerts in IDS logs? (surricata, snort ..etc.)
-
Hi everyone,
I have to write a python script that correlates IDS alerts but before I can do that my superior told me to code the calculation of an accuracy rate. However, I am just not sure how I can make that happen? How do I recognise false positive and false negative alerts? Any ideas?
Anything will help, am kinda desperate... - Thanks!
-
@osxfactor said in How do I recognise false positive and false negatives alerts in IDS logs? (surricata, snort ..etc.):
Hi everyone,
I have to write a python script that correlates IDS alerts but before I can do that my superior told me to code the calculation of an accuracy rate. However, I am just not sure how I can make that happen? How do I recognise false positive and false negative alerts? Any ideas?
Anything will help, am kinda desperate lol - Thanks!
Google and search the posts on this forum is your friend!!!
-
Your human brain has to research the alerts, look at the underlying rules and their logic, examine your network topology and client make-up (types of OS, for example) and then use your noodle to figure out if a given alert is likely a false positive. As user @jdeloach stated, Google will be your friend in this endeavor.
How do you think the system is going to figure out and flag a false positive for you? If it was smart enough to do that, it would be smart enough to not false positive in the first place ... .