Snort mailing list archives
Re: snort rules / arachnids
From: Erek Adams <erek () theadamsfamily net>
Date: Sun, 19 Aug 2001 09:56:08 -0700 (PDT)
On Sun, 19 Aug 2001, Jason Long wrote:
Is arachNIDS meant to be ran by itself or in conjunction with the snort rules? Currently I've been running the arachNIDS ruleset by itself and am wondering if I'm missing out on alot of alerts. On the otherhand, I don't want to be overwelmed with false positives.
Well... This is a 'loaded' question. :) Rulesets are meant to be used. But, the more rules you have the longer it takes packets to be matched against them. If you only have 10 rules, well that's a whole lot less than 2,000. Marty does some neat things to speed this up, but that basically holds true. Here's the 'loaded' part: Deciding what rules are important to you/your company. If you don't have _any_ machines running IIS, why turn it on? Oh, yeah, someone might have brought in a laptop with IIS running.... It's all a policy decision.
Any suggestions would be appreciated.
Go to http://www.snort.org/ or http://snort.sourcefire.com/ and check out the downloads. Theres some perl there that will merge two rulesets and drop out dupes. There is also a windows based GUI at http://www.activeworx.com/. Hope this helps. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort rules / arachnids Jason Long (Aug 19)
- Re: snort rules / arachnids Erek Adams (Aug 19)