Re: Automated snort tuner

[Bennett Todd <bet () rahul net>]

2003-04-28T10:02:43 Always Bishan:
> Do we have an automated tuner for snort, or Is anybody
> doing it?

I'm assuming by an "automated tuner", you mean something you can
run to automatically clear up all the false positives. If that
assumption is wrong, please disregard the rest of this email and
send along the definition you have in mind.

Given that definition, it's not possible in principle. Or rather, it
would be equivalent to shutting down snort, or to simply ignoring
all its alerts.

One person's false-positive (that should be disabled) is another's
incident (that should be investigated and addressed).

For any given alert, some people will want to disable the rule, or
adjust the preprocessor config, or add a BPF filter to make snort
shut up; and other people will want to hunt down the source of the
offending traffic and make it stop.

The snort dev team does a darned good job of attempting to tune
the ruleset as-shipped for a reasonable baseline; the remaining
tuning that has to be done is in my experience really personal and
individual. I speak from experience here, as I've tuned snorts in a
few different contexts now, and I don't recall many if any things I
did the same, aside from the general pattern of practice.

One thing you can do is try for one of two snort deployment models.
These have the characteristic that they don't (in my experience)
require large amounts of engineering time and energy to get the
tuning useable.

One is to deploy snort way outside or deep inside, exposed to
internet or desktop-LAN traffic. In this exposure, run your snort
to collects stats and accumulate forensic info, occasionally peek
at it to learn more about how things smell on those nets (foul, but
in what ways), perhaps even profile over time to get a feel for how
fast things are getting worse. Do not try and generate alarms or set
of pagers or create trouble tickets automatically from these snorts.

The other way is to deploy snort on exceedingly tightly controlled
links near the inside edge of firewall plants, screened by network
topology from the revolting stuff found on the dirty nets further
away from the firewall. Here a modest amount of tuning will silence
all the false-positives.

-Bennett

Attachment: _bin
Description: