Snort mailing list archives
RE: Automated snort tuner - IDEA?
From: "Scott, Joshua" <Joshua.Scott () jacobs com>
Date: Tue, 6 May 2003 04:24:25 -0400
There are a couple different ways of looking at this scenario: One is the small company with only a few networks. The Network/Systems/IDS/etc administrator is probably already pretty familiar with their networks so implementing IDS and manually tuning the rules should not be too grueling of a task. The other scenario is the large company such as mine. I've got about 6 IDS sensors setup today but I'd like it to eventually expand to include our critical offices. That total number of sensors I'd be managing could get close to 100 without including additional Snort instances for each segment. I've already got a standard Linux config so the hardware/software portion would be a breeze. The issue would be with the tweaking and management of the ruleset. Unfortunately, I'm the only IDS administrator and I only get to wear that hat about 1-2 hours a day. Without some type of automated or assisted configuration tool, I'll be unable to really benefit from the IDS. I'll be overloaded with false positives and information messages. This automated tool could be a great benefit to the security community if done properly. Simply because other tools were done half-assed is not a reason to scrap this idea. If done properly, this tool wouldn't hurt sysadmins, but benefit them by showing what rules are being disabled/enabled and what may be affected. In the current scenario, I would bet many sysadmins leave all the default rules enabled. I know from experience that with all rules enabled, many legitimate rules can be overlooked due to the sheer amount of events. Before any tool of this nature is going to work effectively, the documentation of all existing rules will need to be completed. Also, the classification types should include some kind of documentation as to their use. These categories could be a great assistance in an automated configuration/tuning tool. I also think that adding a new field or category to each rule that lists the affected vendor/application/version (if any) would be extremely useful. The tool could then prompt the user as to what types of systems are on the network and filter based on that. I get rather frustrated when I start getting hit with thousands of some "FTP Attack" and I come to find out it is a rule for a vulnerability on some FTP server that I don't have anywhere on my network. I'm not saying this tool should handle 100% of the sensor tuning. I still think it does require some degree of interaction. All changes should require manual intervention and sufficient documentation should be provided so the user is aware. Is anyone else experiencing the same frustrations as me with managing an IDS infrastructure in the enterprise? I've heard some companies actually have budgets and staff for this kind of stuff! What's that like? ;-) Joshua Scott Security Architect, CISSP -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Monday, April 28, 2003 11:34 AM To: Always Bishan; snort-users () lists sourceforge net Subject: Re: [Snort-users] Automated snort tuner At 03:02 PM 4/28/2003 +0100, Always Bishan wrote:
Hi guys, Do we have an automated tuner for snort, or Is anybody doing it? Thanx. Bishan
"automated tuner"? Do you mean something that automatically re-tweaks your ruleset for you? Personally, I don't think I'd advise anyone to consider writing such a tool. People might be tempted to use it and not tune their setups themselves. There's a very large amount of subjective opinion that goes into tuning a snort setup and an immense number of variables to consider. Any automated tool would do a half-assed job at best. You could argue that an automated tuning would be a good starting place, but I'd suspect most sysadmins would use it, and leave it as is without thinking about it. Besides, you need to be intimately familiar with your configuration in order to be able to make good sense of the alerts that are generated anyway. So auto-tuning doesn't save you much time anyway. You'll still have to thumb through the ruleset manually. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ============================================================================== NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. ==============================================================================
Current thread:
- RE: Automated snort tuner - IDEA? Scott, Joshua (May 06)