Snort mailing list archives
Re: Automated snort tuner
From: Bennett Todd <bet () rahul net>
Date: Mon, 28 Apr 2003 14:30:01 -0400
2003-04-28T10:02:43 Always Bishan:
Do we have an automated tuner for snort, or Is anybody doing it?
I'm assuming by an "automated tuner", you mean something you can run to automatically clear up all the false positives. If that assumption is wrong, please disregard the rest of this email and send along the definition you have in mind. Given that definition, it's not possible in principle. Or rather, it would be equivalent to shutting down snort, or to simply ignoring all its alerts. One person's false-positive (that should be disabled) is another's incident (that should be investigated and addressed). For any given alert, some people will want to disable the rule, or adjust the preprocessor config, or add a BPF filter to make snort shut up; and other people will want to hunt down the source of the offending traffic and make it stop. The snort dev team does a darned good job of attempting to tune the ruleset as-shipped for a reasonable baseline; the remaining tuning that has to be done is in my experience really personal and individual. I speak from experience here, as I've tuned snorts in a few different contexts now, and I don't recall many if any things I did the same, aside from the general pattern of practice. One thing you can do is try for one of two snort deployment models. These have the characteristic that they don't (in my experience) require large amounts of engineering time and energy to get the tuning useable. One is to deploy snort way outside or deep inside, exposed to internet or desktop-LAN traffic. In this exposure, run your snort to collects stats and accumulate forensic info, occasionally peek at it to learn more about how things smell on those nets (foul, but in what ways), perhaps even profile over time to get a feel for how fast things are getting worse. Do not try and generate alarms or set of pagers or create trouble tickets automatically from these snorts. The other way is to deploy snort on exceedingly tightly controlled links near the inside edge of firewall plants, screened by network topology from the revolting stuff found on the dirty nets further away from the firewall. Here a modest amount of tuning will silence all the false-positives. -Bennett
Attachment:
_bin
Description:
Current thread:
- Automated snort tuner Always Bishan (Apr 28)
- Re: Automated snort tuner Bennett Todd (Apr 28)
- Re: Automated snort tuner Matt Kettler (Apr 28)