Snort mailing list archives
RE: Good Snort Signatures <-- is all in tuning
From: "Adriel T. Desautels" <atd () secnetops com>
Date: Tue, 24 Aug 2004 22:03:13 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrick et All, This is what I had suspected all along but wanted to check my thoughts against you folks. I heard rumors about "better rules" or "more well written rules" but have never seen such rule sets. My next adventure, does anyone know of a utility which will configure snort rules automatically based on a detected network configuration? If so, please let me know. Adriel T. Desautels Founder and CTO Secure Network Operations Embracing the future of technology, protecting you. Office: 978-263-3829 Fax: 978-263-3313 atd () secnetops com www.secnetops.com - -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Patrick S. Harper Sent: Tuesday, August 24, 2004 8:31 PM To: atd () secnetops com; snort-users () lists sourceforge net Subject: RE: [Snort-users] Good Snort Signatures I believe the problem is not in the rules but in the tuning. It is not an hour or two process for ANY ids. I have worked with most of the major versions in the last 5 years and even worked as an SE for one of the manufactures. I find that a lot of people just install snort, crank it up, open acid and get overwhelmed. You have variables to define, and you need to do all of them nit just home and external net. Then you need to go through and get rid of the rules that do not mean anything to you. Patrick S. Harper | CISSP RHCT MCSE www.internetsecurityguru.com www.ntsug.org - Snort Users Group "If there is no light at the end of the tunnel, get down there and light the damn thing yourself!" - -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Adriel T. Desautels Sent: Tuesday, August 24, 2004 12:57 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Good Snort Signatures Greetings List, Does anyone here know where I can find low false positive snort rules? The rules from snort.org are simply bunk. They generate way too many false positives and even false negatives during certain types of events. I am not adverse to purchasing snort rules either, I just need something that works. - ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users - ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQSvzYbR5YB3MHZrzEQLQPgCfaDkmLwANLp709ruHy+qcMnMpogQAnA3X yLmEKnRaNypwDPn/ApxaZN/V =vo/A -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: ClamAV preprocessor, (continued)
- Re: ClamAV preprocessor Victor Julien (Aug 24)
- Re: ClamAV preprocessor Sam Evans (Aug 24)
- Snort-addon Advice requested Clayton Mascarenhas (Aug 24)
- Re: Snort-addon Advice requested Michael McDonough (Aug 24)
- Good Snort Signatures Adriel T. Desautels (Aug 24)
- Re: Good Snort Signatures sekure (Aug 24)
- Re: Good Snort Signatures Keith W. McCammon (Aug 24)
- Re: Good Snort Signatures Alex Butcher, ISC/ISYS (Aug 25)
- Re: Good Snort Signatures James Riden (Aug 24)
- RE: Good Snort Signatures Patrick S. Harper (Aug 24)
- RE: Good Snort Signatures <-- is all in tuning Adriel T. Desautels (Aug 24)
- Re: Good Snort Signatures <-- is all in tuning Keith W. McCammon (Aug 24)
- Re: Good Snort Signatures <-- is all in tuning Alex Butcher, ISC/ISYS (Aug 25)
- Re: ClamAV preprocessor Victor Julien (Aug 24)
- RE: Good Snort Signatures <-- is all in tuning Josh Berry (Aug 25)
- Re: ClamAV preprocessor William Metcalf (Aug 27)