Snort mailing list archives
Seattle Snort User Group meets Tomorrow - Tuesday, July 11 7:00 PM @ SSCC room TEC129
From: James Affeld <jamesaffeld () yahoo com>
Date: Mon, 10 Jul 2006 15:39:14 -0700 (PDT)
The room will be our usual one after all; the remodel has been rescheduled. --- James Affeld <jamesaffeld () yahoo com> wrote:
Presentation Topic: Snort Rule Clinic James Affeld (me) will present a clinic on writing Snort rules for detection and performance, with a heavy reliance on the 80-20 principle (where 80% of the value is in 20% of the features). This will not be a dry recitation of what's already in the excellent Snort manual, nor an exposition of Snort arcana. My intent will be to cover the most generally useful features, the areas easiest to make mistakes, and some things that should be in the manual but aren't. In short, what I think you need to write good Snort rules for the typical IT shop (if there is such a thing). I'll also try to cover in sufficient detail that you'll be able to parse rules written by other people and understand what they are looking for. To anchor the rule lore in brain space, we'll also take a poorly constructed rule and improve it until it's efficient and accurate. Time permitting, we'll deconstruct/interpret one of the hairiest rules in the Snort distribution. This presentation will not cover the new rule options available with the release of Snort 2.6. That may be covered in a future presentation. About the speaker (me): James Affeld has been using Snort for about 5 years. He obtained the GIAC GCIA (GIAC Certified Intusion Analyst) Gold certification in August 2003, and taught the Local Mentor edition of the SANS IDS class in the summer of 2005 (broadly comparable to being a TA for an upper division class).
Seasnug website: http://blowfish.southseattle.edu/SeaSnUG/ RSVP at http://www.snort.org/registrations/rsvp.html The SeaSnUG mailing list is at: https://lists.snort.org/mailman/listinfo/seattlesug Regional Map and Directions: http://southseattle.edu/ campus/map.htm Metro Transit Route 125:
http://transit.metrokc.gov/tops/bus/schedules/s125_0_.html
Metro Transit Route 128:
http://transit.metrokc.gov/tops/bus/schedules/s128_0_.html
Campus Map: http://southseattle.edu/campus/campmap.htm Contact: jamesaffeld () yahoo com
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Seattle Snort User Group meets Tomorrow - Tuesday, July 11 7:00 PM @ SSCC room TEC129 James Affeld (Jul 10)