Snort False Positives



  • Snort-Dev 1.18 on 1.2.3-RELEASE has been working great (Thanks James!!!), with the exception of getting false positives when using the SMTP and FTP rules. I've read the forum up and down, but still can't seem to get it to work right. It seems like any service I use heavily will get triggered.

    Does anyone have any advise or tips to limit the false positives while still staying as secure as possible? If it helps any, we're using Exchange and a majority of our email communications are to Exchange servers as well.

    Thanks for any help anyone can give!



  • The threshold.conf tab is what you want and I have not had time to add it.
    You will have to edit the snort rule file called threshold.conf.

    I still have to add it on the next release.



  • Ah, I see. Thank you for the quick reply! Any chance you can give me some tips on how to modify it? I tried doing a quick search in the forums, but didn't find anything.

    Thanks again!
    Jason


Log in to reply