Snort mailing list archives
Re: Rules and Tuning
From: Steven Vona <savona () aivila com>
Date: Tue, 14 Aug 2012 16:52:36 -0400
Thanks for the help. But what I really need is a listing of all the rules. We want to go through the whole list and select what we need enabled and not enabled. Is this possible? On Tue, Aug 14, 2012 at 11:48 AM, Tony Robinson <trobinson () sourcefire com>wrote:
To expand on JJ's answer, This depends on what ruleset you are utilizing, Steve, but at least for the VRT ruleset, there are multiple ways for you to obtain more information for a given rule. If you have the sid number/message, the actual rule (or rule stub in the case of SO rules) will usually have metadata associated with the rule -- MS vulnerability IDs, CVE numbers, as well as links to websites with more information (e.g. links to bugtraq or MS technet, virustotal, etc.) If you don't want to dig in the .rules files, then, at least for VRT rules, snort.org has a rule search page, that, given a SID, can give you more information on a given rule www.snort.org/search additionally, the downloads page has a file, opensource.gz that has rule documentation available as well. Hope this helps, Tony On Mon, Aug 13, 2012 at 1:42 PM, Steven Vona <savona () aivila com> wrote:Is there someplace I can get a list of rules and what they are looking for? We are getting a ton of alerts and I would like to fine tunes which rules should be active and which rules should be disabled. I need more information than just the name of the rule. Thanks, Steve ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Tony Robinson Security Consultant I SourceFIRE Professional Services Division
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules and Tuning Steven Vona (Aug 14)
- Re: Rules and Tuning JJC (Aug 14)
- Re: Rules and Tuning Tony Robinson (Aug 14)
- Re: Rules and Tuning Steven Vona (Aug 16)
- Re: Rules and Tuning Joel Esler (Aug 16)
- Re: Rules and Tuning JJ Cummings (Aug 16)
- Re: Rules and Tuning Steven Vona (Aug 16)