Re: snort rules/fasle positives

[Michael Boman <michael.boman () gmail com>]

On Wed, 8 Dec 2004 22:14:30 -0500, RKejariwal () fiberlink com
<RKejariwal () fiberlink com> wrote:
> Hi All 
> Is there any good documentation which outlines what are the minimum set of
> rule files that should be enabled on snort senor. I am getting tons of
> messages and am not too sure how to keep up with it.

Sorry, there is no silver bullet for this one as every network is
different. I usually don't use icmp-info.rules, but again - ask
yourself what you want to know about your network (and the attacks
against it) and then configure snort for it. This is where Network IDS
becomes more of an Art then a Science. If you have trigger-happy rules
take a look at them to see *why* they are trigger-happy for your
environment and then make the call if you are going to disable that
rule or perhaps put threashold on it or something else.

On the site http://people.su.se/~andreaso/docs/README.avoiding_alerts
Andreas is talking about a few ways how to limit the noise from the
rules. Take a look at it.

> Also is there a
> commercial product equivalent to snort which I can deploy so that I can
> obtain technical support.

Give SourceFire (www.sourcefire.com) a call. They develop snort and
also sells snort-based appliances (with support, of course).
 
Best regards
 Michael Boman


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users