Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Filtering alerts

From: Erek Adams <erek () snort org>
Date: Tue, 23 Sep 2003 06:52:28 -0400 (EDT)
On Mon, 22 Sep 2003, Richard Brackett wrote:


Yes, I saw that. That's why I upgraded to 2.0.2. :-)


It doesn't help me with "noise" though. For example, I don't care about
the various IIS related signatures that fire against my Citrix servers.
They aren't vulnerable to those attacks. I don't want to turn the rule
off though, because I have IIS servers and I never know when some yutz
is going to put a new one up without patches.


It's called "rule tuning".

Offhand, I'd guess that you're running the standard default ruleset.  If
you are that's your trouble.  Those default rules aren't setup to be used
in a "real world" situation due to how noisy they are.  They are more
suited for some sort of small net with a low amount of traffic.

If using that, you simply need to go over each rule and decide how
important it is for your network.  Disable rules as needed, and fine tune
others.

You can also use BPF filters which saves you on processing overhead.
Check FAQ 3.9 [0].

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.snort.org/docs/FAQ.txt


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: