Snort mailing list archives
Re: Tuning snort rules.
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 24 Apr 2002 11:52:24 -0700 (PDT)
On Tue, 23 Apr 2002, Ian Macdonald wrote:
What is the best way to tune snort signatures.
Short answer: Know your network.
For example I am seeing alot of speedra pings, from http://www.sans.org/y2k/121100-1200.htm they seem to be an anoyance more than anything else. I originally thought that in order to disable a rule I should just comment it out, but that would just mean that the later rule for ping would pick it up.
From your statement, I'm assuming that your sensor is placed on the outside of
your firewall. If that's the case, be prepared to see all sorts of things. Many times these things are harmless, but in some cases, Speedera ping comes to mind, some tools actually use that same ping content to bypass the rule. And along that same vein: Why do you care about pings? Will a ping ruin your day? :) If they bother you that much, drop'em at the gateway router and/or firewall and turn off the entire ruleset. IIRC, that ruleset is turned off be default.
Any suggestions on the best way to do this? What happens if I change the rules from alert to pass.
Don't just blindly change the rule from alert to pass. First, you'll have to use -o to make the pass rules work as you expect. Then if you do just change alert into pass, you're also forcing a check if you leave any of the rule options there. The simpler a pass rule is, the better off you are: pass <somehost> 80 -> $HOME_NET any (msg: "Passed traffic";) is about the simplest you can get. If it _REALLY_ is a pain, build a BPF filter and use that. The BPF acts at the pcap level (pre-snort) and stops packets from ever getting to snort. And yes, you can specify type. As someone else suggested: LARGE COFFEE, some free time, and a notebook will help in finding the rules you really care about. If you do decide to change a rule, I suggest copying it to a 'custom.rules' with comments stating why it was changed. That way you can simply comment out the original rule from the rules file, simplifing updates from the snort.org rulesets. Note: Don't use 'local.rules'. :) There's a _blank_ local.rules in the dristro, so a 'cp *.rules /<snort_rules_path>/ would overwrite it. :) Have a look at 'oinkmaster' to help you do rule management. From what I've seen its rather helpful in cases like this. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tuning snort rules. Ian Macdonald (Apr 23)
- Re: Tuning snort rules. Erek Adams (Apr 24)
- <Possible follow-ups>
- RE: Tuning snort rules. Williams Jon (Apr 24)
- Re: Tuning snort rules. Ian Macdonald (Apr 24)
- RE: Tuning snort rules. Williams Jon (Apr 24)