Snort mailing list archives

Re: Good Snort Signatures

From: "Keith W. McCammon" <mccammon () gmail com>
Date: Tue, 24 Aug 2004 15:15:17 -0400

Try this (talks a good deal about tuning):

http://www.amazon.com/exec/obidos/tg/detail/-/0735712654/

And then this (talks about tuning Snort, specifically):

http://www.amazon.com/exec/obidos/tg/detail/-/1931836043/

Then, once you're back to implementation, maybe check out something
like this (console that allows you to monitor more efficiently):

http://sguil.sourceforge.net

The rules are not "bunk."  You have probably failed to tune your
sensor(s).  Most FPs/FNs are caused by operators who don't do things
like disable preprocessor options that don't apply, comment out rules
for services that aren't running, set variables appropriately, etc.

You can pay tens of thousands for some other IDS, with some other
ruleset.  If you turn everything on without tuning, you'll have the
same result.  Throwing money at the problem won't make the problem go
away :)

On Tue, 24 Aug 2004 13:57:15 -0400, Adriel T. Desautels
<atd () secnetops com> wrote:

Greetings List,
       Does anyone here know where I can find low false positive snort
rules?  The rules from snort.org are simply bunk.  They generate way too
many false positives and even false negatives during certain types of
events. I am not adverse to purchasing snort rules either, I just need
something that works.

-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ClamAV preprocessor William Metcalf (Aug 23)
- Re: ClamAV preprocessor Jason Haar (Aug 23)
  - RE: ClamAV preprocessor Adriel T. Desautels (Aug 23)
  - Re: ClamAV preprocessor Victor Julien (Aug 24)
    - Re: ClamAV preprocessor Sam Evans (Aug 24)
    - Snort-addon Advice requested Clayton Mascarenhas (Aug 24)
    - Re: Snort-addon Advice requested Michael McDonough (Aug 24)
    - Good Snort Signatures Adriel T. Desautels (Aug 24)
    - Re: Good Snort Signatures sekure (Aug 24)
    - Re: Good Snort Signatures Keith W. McCammon (Aug 24)
    - Re: Good Snort Signatures Alex Butcher, ISC/ISYS (Aug 25)
    - Re: Good Snort Signatures James Riden (Aug 24)
    - RE: Good Snort Signatures Patrick S. Harper (Aug 24)
    - RE: Good Snort Signatures <-- is all in tuning Adriel T. Desautels (Aug 24)
    - Re: Good Snort Signatures <-- is all in tuning Keith W. McCammon (Aug 24)
    - Re: Good Snort Signatures <-- is all in tuning Alex Butcher, ISC/ISYS (Aug 25)
    - RE: Good Snort Signatures <-- is all in tuning Josh Berry (Aug 25)
    - Re: ClamAV preprocessor William Metcalf (Aug 27)
- RE: ClamAV preprocessor Adriel T. Desautels (Aug 23)