Snort mailing list archives

Tuning snort rules.

From: "Ian Macdonald" <secsnort () dirk demon co uk>
Date: Tue, 23 Apr 2002 17:58:41 -0400

What is the best way to tune snort signatures. For example I am seeing alot
of speedra pings, from http://www.sans.org/y2k/121100-1200.htm they seem to
be an anoyance more than anything else. I originally thought that in order
to disable a rule I should just comment it out, but that would just mean
that the later rule for ping would pick it up.

Any suggestions on the best way to do this? What happens if I change the
rules from alert to pass.

Thanks

Ian


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Tuning snort rules. Ian Macdonald (Apr 23)
- Re: Tuning snort rules. Erek Adams (Apr 24)
- <Possible follow-ups>
- RE: Tuning snort rules. Williams Jon (Apr 24)
  - Re: Tuning snort rules. Ian Macdonald (Apr 24)
- RE: Tuning snort rules. Williams Jon (Apr 24)