Snort mailing list archives
RE: Making Snort Rules More "Sensitive"
From: "D@7@K|N&" <dataking () cox net>
Date: Tue, 17 Jun 2003 08:52:33 -0700
Roger that! Good point! -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Erek Adams Sent: Tuesday, June 17, 2003 8:47 AM To: Rich Lichvar Cc: Snort Users List (E-mail) Subject: Re: [Snort-users] Making Snort Rules More "Sensitive" On Tue, 17 Jun 2003, Rich Lichvar wrote:
2. We got dinged in a security audit last year about our IDS rules
(Snort)
not being "sensitive enough" and were told we needed to raise (lower?)
the
sensitivity thresholds. Okay, if some one can tell me where to start
looking
to accomplish this, I'd really appreciate the help.
Sounds like they need to give you more information. It's not clear if they mean "the rules are giving too many false positives" or "the rules are not alerting enough". What specifically are they expecting? And if you don't mind, just who are "they"? At the most basic level, there isn't any "threshold" you can set. It's just a matter of rule tuning for either problem. If you don't have Snort configured correctly, you'll not get 'everything'. Find out what they mean and then it'll be easier to point you in the right direction. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Making Snort Rules More "Sensitive" Rich Lichvar (Jun 17)
- Re: Making Snort Rules More "Sensitive" Erek Adams (Jun 17)
- RE: Making Snort Rules More "Sensitive" D@7@K|N& (Jun 17)
- RE: Making Snort Rules More "Sensitive" D@7@K|N& (Jun 17)
- <Possible follow-ups>
- RE: Making Snort Rules More "Sensitive" L. Christopher Luther (Jun 17)
- Re: Making Snort Rules More "Sensitive" Erek Adams (Jun 17)