Re: Snort Configurations

[waldo kitty <wkitty42 () windstream net>]

On 9/22/2010 12:39, Greg Lane wrote:
> I’m starting to learn how to tune my Snort install and it is a slow process.  I
> have alerts like crazy because I know it needs to be tuned and I especially have
> a lot of http_inspect alerts coming up. I’ve been reading and from what I can
> gather if you don’t have a websever you may not really need this in operation or
> am I wrong?

the answer is "it depends"... it depends on if you want to monitor outbound http 
traffic to possibly catch infestations on your network that are reporting in or 
attacking remote http servers... you might also catch (and be able to prevent) 
internal machines that are being redirected to driveby sites that would (attempt 
to) load them with infestation materials...

> If I am wrong then what is the best possible solution for me to cut
> down most of the alerts which are false positives so to speak or aren’t
> dangerous at all? This will probably be one of many questions concerning configs
> coming to an email box near you.

false positives need to be reported to those who write those rules so they can 
be looked into and adjusted if necessary...


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users