Snort mailing list archives

RE: Tuning snort rules.

From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Wed, 24 Apr 2002 09:18:07 -0500

First, simply changing a rule that has any options, particularly the content
option, from alert to pass is a bad idea if you're using the -o flag on the
command line.  It forces snort to inspect every packet, and the content
option means that essentially every byte of every packet has to be checked,
so this will slow things down dramatically.  Can you tell I've done this?
:-)

Second, there is, unfortunately, no easier way to tune the rules than to sit
down with the rules, a big mochachino, and your local infrastructure expert
and just keep saying "So, do we run Apache? Do we run Speedra? Do we run
iPlanet? Do we run IPX?" and so on.  Tedious, yes, but its the only way I've
found to get rid of all that fluff.  Its part of the reason Marty didn't
want to include rules in the beginning - no one really knows your network
better than you, well, except that hacker, but he's not going to help.

Jon 

-----Original Message-----
From: Ian Macdonald [mailto:secsnort () dirk demon co uk]
Sent: Tuesday, April 23, 2002 4:59 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Tuning snort rules.


What is the best way to tune snort signatures. For example I am seeing alot
of speedra pings, from http://www.sans.org/y2k/121100-1200.htm they seem to
be an anoyance more than anything else. I originally thought that in order
to disable a rule I should just comment it out, but that would just mean
that the later rule for ping would pick it up.

Any suggestions on the best way to do this? What happens if I change the
rules from alert to pass.

Thanks

Ian


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Tuning snort rules. Ian Macdonald (Apr 23)
- Re: Tuning snort rules. Erek Adams (Apr 24)
- <Possible follow-ups>
- RE: Tuning snort rules. Williams Jon (Apr 24)
  - Re: Tuning snort rules. Ian Macdonald (Apr 24)
- RE: Tuning snort rules. Williams Jon (Apr 24)