Re: snort rules / arachnids

[Erek Adams <erek () theadamsfamily net>]

On Sun, 19 Aug 2001, Jason Long wrote:

> Is arachNIDS meant to be ran by itself or in conjunction with the snort
> rules? Currently I've been running the arachNIDS ruleset by itself and am
> wondering if I'm missing out on alot of alerts. On the otherhand, I don't
> want to be overwelmed with false positives.

Well...  This is a 'loaded' question.  :)  Rulesets are meant to be used.
But, the more rules you have the longer it takes packets to be matched against
them.  If you only have 10 rules, well that's a whole lot less than 2,000.
Marty does some neat things to speed this up, but that basically holds true.

Here's the 'loaded' part:  Deciding what rules are important to you/your
company.  If you don't have _any_ machines running IIS, why turn it on?  Oh,
yeah, someone might have brought in a laptop with IIS running....  It's all a
policy decision.

> Any suggestions would be appreciated.

Go to http://www.snort.org/ or http://snort.sourcefire.com/ and check out the
downloads.  Theres some perl there that will merge two rulesets and drop out
dupes.  There is also a windows based GUI at http://www.activeworx.com/.

Hope this helps.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users