Snort mailing list archives
Re: Fine tuning Snort
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 07 Oct 2010 12:56:09 -0400
On 10/7/2010 12:26, James Lay wrote:
Hello All. So I'm needing to fine tune snort a bit. I get a high amount of FP's on things like: Emails with .jpg's: [1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable Code was Detected] exe downloads from Windows Updates: [1:15306:4] WEB-CLIENT Portable Executable binary file transfer [1:2000419:12] ET POLICY PE EXE or DLL Windows file download I'd rather not just comment out these rules....what are other folks doing to minimize FP's? Thank you.
use the threshold file, luke... use the threshold file ;) here's a working *sample* threshold.conf... # this file is used to set threshold levels on or to # completely suppress a gid:sid without modifying the # actual rules themselves. # see README.filter for details # # DNS Spoof stuff from google's public dns servers suppress gen_id 1, sig_id 254, track by_src, ip 8.8.4.4 suppress gen_id 1, sig_id 254, track by_src, ip 8.8.8.8 # Consecutive TCP small segments exceeding threshold # from irc.oftc.net systems - ping, are you there? suppress gen_id 129, sig_id 12, track by_src, ip 12.31.165.82 suppress gen_id 129, sig_id 12, track by_src, ip 64.62.190.36 suppress gen_id 129, sig_id 12, track by_src, ip 66.184.117.12 suppress gen_id 129, sig_id 12, track by_src, ip 72.32.146.136 suppress gen_id 129, sig_id 12, track by_src, ip 140.211.166.64 suppress gen_id 129, sig_id 12, track by_src, ip 206.12.19.242 suppress gen_id 129, sig_id 12, track by_src, ip 207.192.72.99 # Suppress http_inspect LONG HEADER suppress gen_id 119, sig_id 19 # Suppress TCP Timestamp is outside of PAWS window suppress gen_id 129, sig_id 3 # Suppress TCP Timestamp is outside of PAWS window suppress gen_id 129, sig_id 4 # Suppress Bad segment, adjusted size <= 0 suppress gen_id 129, sig_id 5 # Suppress Limit on number of overlapping TCP packets reached suppress gen_id 129, sig_id 7 # Suppress Consecutive TCP small segments exceeding threshold suppress gen_id 129, sig_id 12 # Suppress SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes) suppress gen_id 138, sig_id 4 # Suppress SENSITIVE-DATA Email Addresses suppress gen_id 138, sig_id 5 # Suppress SENSITIVE-DATA SDF_COMBO_ALERT suppress gen_id 139, sig_id 1 ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- <Possible follow-ups>
- Re: Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort ScottO (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort Joel Esler (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)