Re: False alerts

[John Sage <jsage () finchhaven com>]

umm..


> Yep, knew I shouldn't have bothered!


As to whether "you should have bothered", perhaps you might more 
reasonably have anticipated the responses you received.


First, aside from the fact that the article at the Reg never mentions 
snort by name, the tone of the article suggests that the actual topic is 
canned, big vendor, proprietary solutions that are installed when:

"...business managers buy IDS systems (often on the advice of auditors 
or consultants) without committing to the people and resources needed to 
make the technology work, or having a managed services firm maintain an 
installation."


I would be willing to bet that this is hardly *ever* the context under 
which snort is installed and used.


Second, when you say:

"...a configuration wizard that presents a list of O/S and apps..."

the term "wizard" alone conjures up a Window$-style approach that many 
are trying to get/stay away from: the blind use of wizards and other 
front ends with checkboxes and radio buttons that do something to some 
configuration file somewhere, all the while the user remaining 
blissfully unaware of what is *actually* happening, and why.


Third, the very nature of snort is such that, as with most open source 
software, when a major new direction is proposed (and particularily when 
it's proposed with a "...*you* could..." directive) a common response 
will likely be:

"Yeah? Cool.. do it!"

which in fact someone almost literally said.


So IMO it's not that you shouldn't have bothered, it's just that you 
shouldn't be quite so surprised.

(Which, considering the phrasing of your response, I don't *really* 
think you were...)


- John

--
Computers: they're really just nothing but l's and O's



Steve Hutchins wrote:

> Yep, knew I shouldn't have bothered!
>
> -----Original Message-----
> From: Phil Wood [mailto:cpw () lanl gov]
> Sent: Wednesday, 19 December 2001 11:11 a.m.
> To: Steve Hutchins
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] False alerts
>
>
> And while your at it, have snort nmap -O all the systems on $HOME_NET 
> and with the abundant info returned, answer the questions itself, and
> go on its merry way, leaving the satisfied customer oblivous.
>
> On Wed, Dec 19, 2001 at 10:18:27AM +1300, Steve Hutchins wrote:
>
> > Reading article: http://www.theregister.co.uk/content/55/23420.html
> >
> > I wondered why snort couldn't come with
> > the ability or tool that asks which categories of
> > systems are in use on the network to be monitored.
> > So for example, you could spark up a configuration
> > wizard that presents a list of O/S and apps, then
> > removes the rules that don't apply to that environment.
> > Obviously, this would mean specific tagging of rules.
> > Anyone done something along this line? 
> >
> > Obviously us 'techies' wouldn't use such a tool :O)
> >
> > Steve
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users