RE: New Snort 2.2 Rules

["Andre' M. DiMino" <tsamp77 () optonline net>]

I've noticed the same thing in my configuration where Snort is much more
quiet than it used to be... False positives and "noise" seem to be at a
minimum now. This is definitely not at the expense of solid detection
however. I really put Snort 2.4 through some heavy tests with Nessus and
other tools, and it does detect everything just fine.

In looking at the rules, I noticed that many of the rules now use the
flow:established option. I might be mistaken, but I don't think this was
always the case with the rules. I think a preprocessor used to handle the
flow conditions. In a rule with flow:established, Snort will only detect the
anomalies that occur during an established connection. It doesn't alert on
the packets that are simply aimed at your network segment, but not actually
traversing an existing connection.

Do I have this right?


  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Walt Rich
Sent: Wednesday, September 14, 2005 4:27 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] New Snort 2.2 Rules


I updated the Snort rules to the latest available on Souceforge's site.
They wre auite out of date, and almost a year old.  Snort is up and running,
but has become very queit!  It used to detect alot of false positives, which
were a pain, but at least I knew it was working.  Now it is very, very
quiet, and hasn't detected anything in over 2 hours.  Is it possible that
the rule writers have become so good that the detection of false positives
has been almost eliminated?  Has anyone else experienced anything similar?
Any input is greatly appreciated.
 
Thanks! 
 
        
 Parago Logo <http://www.parago.com/images/parago_logo_for_email.gif> 

  _____  


| Walt Rich | Sr. Network Engineer | Parago, Inc. | 972.538.7253 |
walt.rich () parago com |