Snort mailing list archives
Re: HELP ON SNORT
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 30 Jan 2012 08:42:18 -0500
On Jan 30, 2012, at 7:53 AM, Paul Halliday wrote:
On Sun, Jan 29, 2012 at 8:47 PM, Joel Esler <jesler () sourcefire com> wrote:On Jan 29, 2012, at 7:38 PM, Dustin Webber <dustin.webber () gmail com> wrote:I have heard these concerns as well and it always ended up being someone who didn't tune their sensor and had 150k events every 30 minutes.Agreed!So do we just shake our fingers at them and move on?
No. It starts at my/our level. We have to make the engine easier to use, simpler to tune, easier to understand. That has a lot of steps to it, everything from making detection simpler, more effective, and easier to write rules for (and understand), to making memory management easier and making less needed configuration changes "out of the box". Then it comes to the organization, on/off state, and clarity of the ruleset. File-identify was the first of those steps, so was the cleanup (I have a blog post about this upcoming), the next step that we're doing in that process will take place over the next six months, and will fundamentally change how Snort tuning is done. (More on this soon in a blog post before we begin the process, and since it will affect EVERYONE, it will be posted on the blog and all our mailing lists.) Steps 4 and 5 of the ruleset changes (I'm planning to) happen later this year. (2012 is going to be a big year for the VRT ruleset.) It involves coordination with open source products to make things easier to use and tune. All things on my plate for this year. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HELP ON SNORT, (continued)
- Re: HELP ON SNORT Jeremy Hoel (Jan 27)
- Re: HELP ON SNORT Castle, Shane (Jan 27)
- Re: HELP ON SNORT Joel Esler (Jan 27)
- Re: HELP ON SNORT Heine Lysemose (Jan 28)
- Re: HELP ON SNORT Dustin Webber (Jan 28)
- Re: HELP ON SNORT Martin Holste (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 29)
- Re: HELP ON SNORT Joel Esler (Jan 29)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT Joel Esler (Jan 30)
- Re: HELP ON SNORT Paul Halliday (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
- Re: HELP ON SNORT Lay, James (Jan 30)
- Re: HELP ON SNORT Jeremy Hoel (Jan 30)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 29)
- Re: HELP ON SNORT Dustin Webber (Jan 30)
- Re: HELP ON SNORT beenph (Jan 30)
- Re: HELP ON SNORT Martin Holste (Jan 30)