New To Snort, Lots of False Positives
I recently configured Snort to start running on my PFSense Box and while I currently do not have it configured to block any traffic I would like to get to that point… I thought it would be best to monitor my network first and get my suppression lists configured prior to enabling blocking.
I am seeing a lot of alerts for the "http_inspect" specifically out of 3,094 alerts 1,314 of them came from the following SIDs 119:2, 119:4, 119:31, and 119:33. What is the best method (suggested advice) for sorting threw these to figure out what should be suppressed?
Any advice would be greatly appreciated!
Take a look at these threads: