Snort mailing list archives
Re: snort rules/fasle positives
From: Michael Boman <michael.boman () gmail com>
Date: Thu, 9 Dec 2004 13:31:42 +0800
On Wed, 8 Dec 2004 22:14:30 -0500, RKejariwal () fiberlink com <RKejariwal () fiberlink com> wrote:
Hi All Is there any good documentation which outlines what are the minimum set of rule files that should be enabled on snort senor. I am getting tons of messages and am not too sure how to keep up with it.
Sorry, there is no silver bullet for this one as every network is different. I usually don't use icmp-info.rules, but again - ask yourself what you want to know about your network (and the attacks against it) and then configure snort for it. This is where Network IDS becomes more of an Art then a Science. If you have trigger-happy rules take a look at them to see *why* they are trigger-happy for your environment and then make the call if you are going to disable that rule or perhaps put threashold on it or something else. On the site http://people.su.se/~andreaso/docs/README.avoiding_alerts Andreas is talking about a few ways how to limit the noise from the rules. Take a look at it.
Also is there a commercial product equivalent to snort which I can deploy so that I can obtain technical support.
Give SourceFire (www.sourcefire.com) a call. They develop snort and also sells snort-based appliances (with support, of course). Best regards Michael Boman ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort rules/fasle positives RKejariwal (Dec 08)
- Re: snort rules/fasle positives Michael Boman (Dec 08)
- Re: snort rules/fasle positives Senthil Prabu.S (Dec 09)
- <Possible follow-ups>
- RE: snort rules/fasle positives Harper, Patrick (Dec 09)