Re: Making Snort Rules More "Sensitive"

[Erek Adams <erek () snort org>]

On Tue, 17 Jun 2003, Rich Lichvar wrote:

> 2. We got dinged in a security audit last year about our IDS rules (Snort)
> not being "sensitive enough" and were told we needed to raise (lower?) the
> sensitivity thresholds. Okay, if some one can tell me where to start looking
> to accomplish this, I'd really appreciate the help.

Sounds like they need to give you more information.  It's not clear if
they mean "the rules are giving too many false positives" or "the rules
are not alerting enough".  What specifically are they expecting?  And if
you don't mind, just who are "they"?

At the most basic level, there isn't any "threshold" you can set.  It's
just a matter of rule tuning for either problem.  If you don't have Snort
configured correctly, you'll not get 'everything'.

Find out what they mean and then it'll be easier to point you in the right
direction.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users