Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules optimization

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 18 Jun 2003 11:18:57 -0400
At 03:55 AM 6/18/2003 -0400, Vuppala, Vijaybhasker (EM, GECIS) wrote:

Hi,

I have used Snort ver 1.8.7 on Redhat Linux 7.3 with Default Rules provided
for pilot and I see tons of Alerts being generated. In about 40hours time
there are more than a lakh alerts and the database size is 1.9GB.  I see
most of the alerts are of no concern. I know lot of optimization needs to be
done but I'm worried i might disable real alerts.
First, if you are using snort 1.8.7 make SURE you've disabled stream4 and the RPC decoder if you can't upgrade to a reasonably recent version of snort... in 1.8.7 both of these preprocessors are exploitable and someone CAN hack your snort box using them. 

http://www.securityfocus.com/bid/7178

http://www.securityfocus.com/bid/6963
also note that disabling stream4 makes snort more-or-less useless, but without disabling it your system will be exploitable. 



If some one has already worked on this and can share their Rules and
snort.conf enabling the same it would be great. or else pls through some
guidelines as to how to go forward for this optimization.
1.8.x is so old I can barely remember what config options it supports and what the ruleset looks like. You might want to look at the current ruleset for ideas, however many features used in current versions of snort aren't in 1.8.x (most notably flows). 







-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: