Chapter 9. Tuning and Thresholding
This chapter revolves around controlling false positives (alerts generated by nonmalicious activity) and managing the load on the system running Snort. The opposite of a false positive is a false negative—an actual malicious packet that does not trigger an alert. We will discuss the causes of missed alerts and some steps for remediation of this gap. We will examine some of the challenges surrounding the initial tuning and customization of the Snort sensor, as well as the ongoing challenges of keeping the information the sensor reports useful. All your work installing and configuring Snort is wasted if the real alerts are not noticed, or lost in the noise of thousands of false positives. We will also discuss how to keeps things managed, from “pass” rules to thresholding and suppression rules.
Many of these strategies are thinly documented and have arisen from the use of Snort in very high bandwidth environments (an OC-48 SONET ring connecting multiple data centers with three redundant OC-3s to the Internet). While these strategies come from environments that not many users of Snort will encounter (even in most businesses), they are useful for anyone running Snort.
False Positives (False Alarms)
When examining alerts, remember that there will always be false positives. False positives are alerts that Snort classifies as intrusion attempts, but which are really benign and can safely be ignored. The sooner you learn to recognize these false positives ...