How are you all tuning Sig ID:3030 "TCP Syn Host Sweep"? I find this alert is the best indicator of a worm or virus that has made its way inside attempting to spread itself around our network when I see thousands of Syn's coming from one IP all hitting another specific IP range.

Unfortunately we get a ton of "false-positives" on this alert that seem to come from users being referred from one website to an ad on another. All hosts seem to trip the rule a similar number of times during the day which makes it a little tougher to pick out an infected host (5k alerts from one host vs. 300 from each of the others). Making it even more difficult to catch a scanning host before it gets into the range of thousands of hits is the fact that one host can often get a lot of ads or pop-ups from one company's IP block so it will look similar to a scan even though it likely is not.

Have any of you found an effective way to tune this alert so that it still fires if you have a worm but not for every banner ad/popup window a user gets? Have any of you made an attempt to wade through all the alarms triggered by this sig to determine the actual root of the false-positives or are you just turning the alarm off altogether?