Snort mailing list archives
RE: Rule Selection
From: "Adam Kliarsky" <360air () comcast net>
Date: Wed, 9 Feb 2005 22:14:10 -0800
Not an approach I'd recommend...you may reduce your false positives, but are still subject to human error and subsequent true negatives. Man hours vs. system compromise. Consider using an approach that involves 'turning off' certain rules rather than groups of rules. Define your environment in snort.conf, and turn off rules you know you do not need. Even though only tcp/80 is the only port listening, you have other attack vectors; shellcode, icmp floods, etc. that the ids can correlate on. Keep in mind a targetted attack may attempt other avenues, and it'd be nice to correlate that in the alerts. Just my $0.02 Adam -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rudi Starcevic Sent: Thursday, February 10, 2005 10:30 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Rule Selection Hi, A colleague of mine suggested to me that a machine with only port 80 open ( www server ) one should only use www Snort rules. That would mean not using alot of available rules for intrusion detection, is that wise ? Thanks Best regards Rudi ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule Selection Rudi Starcevic (Feb 09)
- Re: Rule Selection Alex Butcher, ISC/ISYS (Feb 10)
- Re: Rule Selection Jose Maria Lopez (Feb 10)
- RE: Rule Selection Adam Kliarsky (Feb 21)
- <Possible follow-ups>
- RE: Rule Selection Miner, Jonathan W (CSC) (US SSA) (Feb 10)
- Re: Rule Selection Rudi Starcevic (Feb 10)
- Re: Rule Selection Matt Kettler (Feb 10)
- Re: Rule Selection Alex Butcher, ISC/ISYS (Feb 11)
- Re: Rule Selection Rudi Starcevic (Feb 10)