Snort mailing list archives
RE: Tuning snort rules.
From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Wed, 24 Apr 2002 13:18:05 -0500
Hmm. Theoretically, you could set up a custom action that is defined to log to /dev/null and then change your action from alert to your custom one for the rules that you want to ignore and not see anything else on. As far as I can tell, though, saying "I don't care about this one thing and everything else that is similar to it" without having verified all of the "everything similar" cases is a risky position at best. Jon -----Original Message----- From: Ian Macdonald [mailto:secsnort () dirk demon co uk] Sent: Wednesday, April 24, 2002 12:06 PM To: Williams Jon; snort-users () lists sourceforge net Subject: Re: [Snort-users] Tuning snort rules. So in this case I would have to remove both the ICMP ping rule and the speedra rule. Am I right in assuming that there is no way to say Yes this rule triggered but we are not going to log it and we are not going to process any other rules that might also trigger. Thanks Ian ----- Original Message ----- From: "Williams Jon" <WilliamsJon () johndeere com> To: "'Ian Macdonald'" <secsnort () dirk demon co uk>; <snort-users () lists sourceforge net> Sent: Wednesday, April 24, 2002 10:18 AM Subject: RE: [Snort-users] Tuning snort rules.
First, simply changing a rule that has any options, particularly the
content
option, from alert to pass is a bad idea if you're using the -o flag on
the
command line. It forces snort to inspect every packet, and the content option means that essentially every byte of every packet has to be
checked,
so this will slow things down dramatically. Can you tell I've done this? :-) Second, there is, unfortunately, no easier way to tune the rules than to
sit
down with the rules, a big mochachino, and your local infrastructure
expert
and just keep saying "So, do we run Apache? Do we run Speedra? Do we run iPlanet? Do we run IPX?" and so on. Tedious, yes, but its the only way
I've
found to get rid of all that fluff. Its part of the reason Marty didn't want to include rules in the beginning - no one really knows your network better than you, well, except that hacker, but he's not going to help. Jon -----Original Message----- From: Ian Macdonald [mailto:secsnort () dirk demon co uk] Sent: Tuesday, April 23, 2002 4:59 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Tuning snort rules. What is the best way to tune snort signatures. For example I am seeing
alot
of speedra pings, from http://www.sans.org/y2k/121100-1200.htm they seem
to
be an anoyance more than anything else. I originally thought that in order to disable a rule I should just comment it out, but that would just mean that the later rule for ping would pick it up. Any suggestions on the best way to do this? What happens if I change the rules from alert to pass. Thanks Ian _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tuning snort rules. Ian Macdonald (Apr 23)
- Re: Tuning snort rules. Erek Adams (Apr 24)
- <Possible follow-ups>
- RE: Tuning snort rules. Williams Jon (Apr 24)
- Re: Tuning snort rules. Ian Macdonald (Apr 24)
- RE: Tuning snort rules. Williams Jon (Apr 24)