Snort mailing list archives
RE: Good Snort Signatures <-- is all in tuning
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Wed, 25 Aug 2004 08:02:30 -0500
I've been doing the IDS thing for going on six years now, using a commercial vendor and a couple of different FOSS products. The most important thing I've found is that no matter what tools you have, IDS is close to useless unless the admins running/configuring it have deep, intimate knowledge about the networks that are being watched. If the human element doesn't know what's supposed to be there and, more importantly, what constitutes "normal" anomalies (i.e. that traffic surge on Friday night at midnight is the weekly backups, the 100k alerts coming out of a particular network on Sunday mornings is the side effect of a routing change gone wrong, etc.), then your admins will spend a huge amount of time chasing ghosts. Since we did it the hard way (no budget, no training, political issues, etc.), it took nearly three years before we really hit our stride. Now, with my six years on IDS and my co-worker's five years of networking, we're finally getting our heads above water enough to start worring about other stuff :-) Best of luck! Jon -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Adriel T. Desautels Sent: Tuesday, August 24, 2004 9:03 PM To: 'Patrick S. Harper'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Good Snort Signatures <-- is all in tuning *** PGP SIGNATURE VERIFICATION *** *** Status: Unknown Signature *** Signer: Unknown Key (0xCC1D9AF3) *** Signed: 8/24/2004 9:03:13 PM *** Verified: 8/25/2004 7:44:28 AM *** BEGIN PGP VERIFIED MESSAGE *** Patrick et All, This is what I had suspected all along but wanted to check my thoughts against you folks. I heard rumors about "better rules" or "more well written rules" but have never seen such rule sets. My next adventure, does anyone know of a utility which will configure snort rules automatically based on a detected network configuration? If so, please let me know. Adriel T. Desautels Founder and CTO Secure Network Operations Embracing the future of technology, protecting you. Office: 978-263-3829 Fax: 978-263-3313 atd () secnetops com www.secnetops.com -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Patrick S. Harper Sent: Tuesday, August 24, 2004 8:31 PM To: atd () secnetops com; snort-users () lists sourceforge net Subject: RE: [Snort-users] Good Snort Signatures I believe the problem is not in the rules but in the tuning. It is not an hour or two process for ANY ids. I have worked with most of the major versions in the last 5 years and even worked as an SE for one of the manufactures. I find that a lot of people just install snort, crank it up, open acid and get overwhelmed. You have variables to define, and you need to do all of them nit just home and external net. Then you need to go through and get rid of the rules that do not mean anything to you. Patrick S. Harper | CISSP RHCT MCSE www.internetsecurityguru.com www.ntsug.org - Snort Users Group "If there is no light at the end of the tunnel, get down there and light the damn thing yourself!" -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Adriel T. Desautels Sent: Tuesday, August 24, 2004 12:57 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Good Snort Signatures Greetings List, Does anyone here know where I can find low false positive snort rules? The rules from snort.org are simply bunk. They generate way too many false positives and even false negatives during certain types of events. I am not adverse to purchasing snort rules either, I just need something that works. ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users *** END PGP VERIFIED MESSAGE *** ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Good Snort Signatures <-- is all in tuning Williams Jon (Aug 25)
- Best howto or guide... Carlos M Ospina (Aug 25)