Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tuning snort rules.

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 24 Apr 2002 11:52:24 -0700 (PDT)
On Tue, 23 Apr 2002, Ian Macdonald wrote:


What is the best way to tune snort signatures.


Short answer:  Know your network.


For example I am seeing alot of speedra pings, from
http://www.sans.org/y2k/121100-1200.htm they seem to be an anoyance more
than anything else. I originally thought that in order to disable a rule I
should just comment it out, but that would just mean that the later rule for
ping would pick it up.



From your statement, I'm assuming that your sensor is placed on the outside of

your firewall.  If that's the case, be prepared to see all sorts of things.
Many times these things are harmless, but in some cases, Speedera ping comes
to mind, some tools actually use that same ping content to bypass the rule.

And along that same vein:  Why do you care about pings?  Will a ping ruin your
day?  :)  If they bother you that much, drop'em at the gateway router and/or
firewall and turn off the entire ruleset.  IIRC, that ruleset is turned off be
default.


Any suggestions on the best way to do this? What happens if I change the
rules from alert to pass.


Don't just blindly change the rule from alert to pass.  First, you'll have to
use -o to make the pass rules work as you expect.  Then if you do just change
alert into pass, you're also forcing a check if you leave any of the rule
options there.  The simpler a pass rule is, the better off you are:

        pass <somehost> 80 -> $HOME_NET any (msg: "Passed traffic";)

is about the simplest you can get.

If it _REALLY_ is a pain, build a BPF filter and use that.  The BPF acts at
the pcap level (pre-snort) and stops packets from ever getting to snort.  And
yes, you can specify type.

As someone else suggested:  LARGE COFFEE, some free time, and a notebook will
help in finding the rules you really care about.  If you do decide to change a
rule, I suggest copying it to a 'custom.rules' with comments stating why it
was changed.  That way you can simply comment out the original rule from the
rules file, simplifing updates from the snort.org rulesets.  Note:  Don't use
'local.rules'.  :)  There's a _blank_ local.rules in the dristro, so a 'cp
*.rules /<snort_rules_path>/ would overwrite it.  :)

Have a look at 'oinkmaster' to help you do rule management.  From what I've
seen its rather helpful in cases like this.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: