Snort mailing list archives

Snort / Alert Management Best Practices

From: "Daryl J. Rue" <drue () mail paydq com>
Date: Wed, 19 Jul 2006 11:17:41 -0500

Interesting that I did not receive a response to my question as to what may
be some good best practice references as to the daily use of snort.  

Is everyone just monitoring ad-hoc?  Or are you just consistently fine
tuning the rules so only events that require action are shown?

What do you tell you auditors are your IDS response procedures?

Perhaps some answers will come as I continue to prepare for Security+ cert,
where exam objective 1.4 states:

1.4     Recognize the following attacks and specify the appropriate actions
to take to mitigate vulnerability and risk.


Daryl 



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ignore bad rule on startup kakomon (Jul 19)
- Re: ignore bad rule on startup Paul Schmehl (Jul 19)
  - Re: ignore bad rule on startup kakomon (Jul 19)
    - Re: ignore bad rule on startup Paul Schmehl (Jul 19)
- Snort / Alert Management Best Practices Daryl J. Rue (Jul 19)
  - Re: Snort / Alert Management Best Practices Frank Knobbe (Jul 19)
- <Possible follow-ups>
- Re: ignore bad rule on startup Klein, Jeremie (Jul 19)
  - Re: ignore bad rule on startup kakomon (Jul 19)
    - Re: ignore bad rule on startup Joel Esler (Jul 19)
    - Re: ignore bad rule on startup Matthew Watchinski (Jul 19)