Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Automated snort tuner

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 28 Apr 2003 14:34:10 -0400
At 03:02 PM 4/28/2003 +0100, Always Bishan wrote:

Hi guys,

Do we have an automated tuner for snort, or Is anybody
doing it?

Thanx.
Bishan
"automated tuner"? Do you mean something that automatically re-tweaks your ruleset for you?
Personally, I don't think I'd advise anyone to consider writing such a tool. People might be tempted to use it and not tune their setups themselves.
There's a very large amount of subjective opinion that goes into tuning a snort setup and an immense number of variables to consider. Any automated tool would do a half-assed job at best.
You could argue that an automated tuning would be a good starting place, but I'd suspect most sysadmins would use it, and leave it as is without thinking about it. Besides, you need to be intimately familiar with your configuration in order to be able to make good sense of the alerts that are generated anyway. So auto-tuning doesn't save you much time anyway. You'll still have to thumb through the ruleset manually. 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: