Snort mailing list archives
Re: Fine tuning Snort
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 07 Oct 2010 12:02:41 -0600
Kevin and Waldo, you gents are treasuresĀI will get to work and report my resultsĀthank you much! james From: Kevin Ross <kevross33 () googlemail com> Date: Thu, 7 Oct 2010 17:55:43 +0100 To: James Lay <jlay () slave-tothe-box net>, Snort <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Fine tuning Snort Well what you can do is: - Use threshold.conf to supress alerts entirely from certain sources or destinations and limit the amount of alerts it will fire too. Read the examples in threshold.conf and put them in your enviroment. If there is specific sources and destinations you can filter this way - Use oinkmaster or pulled pork to disable and enable rules from VRT and emergingthreats.net <http://emergingthreats.net> that you need. Just start by not including rules files for things you do not have and then go through the rules files taking down the sids to disable and then have oinkmaster or pulled pork scheduled by cron to run an update. also, the shellcode sigs aren't very reliable as they are extremely FP prone. Emergingthreats is rules you want to use as well, purely because of the IP lists (russian business network, botnet control servers & compromised hosts) and malware sigs (a lot of research into that). Vulnerability wise the ET rules more complement the VRT rules (personally I get more hits off the ET rules but that is purely because a lot of malware is out there so you pick up infected clients trying to reach control servers and so on). A targeted attack it may be the VRT rules that do the actual detection so best cover threats to your enviroment, vulnerabilities and such but I think malware is a threat to everybody. Though on a side note emergingthreats is releasing a full ruleset which has all the normal rules but also has a paid part which provides coverage for all vulnerabilities and you choose what is important http://www.emergingthreatspro.com/ though that coverage is paid but the emergingthreatspro stuff is completely free and worth a look as we do try and compliment the VRT rulesets with mostly malware but some vulnerabilities and things, though it is more amatuers rather than professionals and only now is the rules getting performance checked, improved etc by the pro part of the setup to improve the quality of the ruleset. Really a choice based on your needs but a well tuned environment covering everything that effects you is a good approach. Hope this helps, Kevin On 7 October 2010 17:26, James Lay <jlay () slave-tothe-box net> wrote:
Hello All. So I'm needing to fine tune snort a bit. I get a high amount of FP's on things like: Emails with .jpg's: [1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable Code was Detected] exe downloads from Windows Updates: [1:15306:4] WEB-CLIENT Portable Executable binary file transfer [1:2000419:12] ET POLICY PE EXE or DLL Windows file download I'd rather not just comment out these rules....what are other folks doing to minimize FP's? Thank you. James ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- <Possible follow-ups>
- Re: Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort ScottO (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort Joel Esler (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort Jefferson, Shawn (Oct 08)