Snort mailing list archives

Re: Fine tuning Snort

From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 07 Oct 2010 12:56:09 -0400

On 10/7/2010 12:26, James Lay wrote:

Hello All.

So I'm needing to fine tune snort a bit.  I get a high amount of FP's on
things like:

Emails with .jpg's:
[1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable
Code was Detected]

exe downloads from Windows Updates:
[1:15306:4] WEB-CLIENT Portable Executable binary file transfer
[1:2000419:12] ET POLICY PE EXE or DLL Windows file download

I'd rather not just comment out these rules....what are other folks doing
to minimize FP's?  Thank you.


use the threshold file, luke... use the threshold file ;)

here's a working *sample* threshold.conf...

# this file is used to set threshold levels on or to
# completely suppress a gid:sid without modifying the
# actual rules themselves.
# see README.filter for details
#
# DNS Spoof stuff from google's public dns servers
suppress gen_id 1, sig_id 254, track by_src, ip 8.8.4.4
suppress gen_id 1, sig_id 254, track by_src, ip 8.8.8.8

# Consecutive TCP small segments exceeding threshold
# from irc.oftc.net systems - ping, are you there?
suppress gen_id 129, sig_id 12, track by_src, ip 12.31.165.82
suppress gen_id 129, sig_id 12, track by_src, ip 64.62.190.36
suppress gen_id 129, sig_id 12, track by_src, ip 66.184.117.12
suppress gen_id 129, sig_id 12, track by_src, ip 72.32.146.136
suppress gen_id 129, sig_id 12, track by_src, ip 140.211.166.64
suppress gen_id 129, sig_id 12, track by_src, ip 206.12.19.242
suppress gen_id 129, sig_id 12, track by_src, ip 207.192.72.99

# Suppress http_inspect LONG HEADER
suppress gen_id 119, sig_id 19

# Suppress TCP Timestamp is outside of PAWS window
suppress gen_id 129, sig_id 3

# Suppress TCP Timestamp is outside of PAWS window
suppress gen_id 129, sig_id 4

# Suppress Bad segment, adjusted size <= 0
suppress gen_id 129, sig_id 5

# Suppress Limit on number of overlapping TCP packets reached
suppress gen_id 129, sig_id 7

# Suppress Consecutive TCP small segments exceeding threshold
suppress gen_id 129, sig_id 12

# Suppress SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4

# Suppress SENSITIVE-DATA Email Addresses
suppress gen_id 138, sig_id 5

# Suppress SENSITIVE-DATA SDF_COMBO_ALERT
suppress gen_id 139, sig_id 1


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- <Possible follow-ups>
- Re: Fine tuning Snort James Lay (Oct 07)
  - Re: Fine tuning Snort waldo kitty (Oct 07)
    - Re: Fine tuning Snort James Lay (Oct 08)
    - Re: Fine tuning Snort ScottO (Oct 08)
    - Re: Fine tuning Snort James Lay (Oct 08)
    - Re: Fine tuning Snort Joel Esler (Oct 08)
    - Re: Fine tuning Snort James Lay (Oct 08)
    - Re: Fine tuning Snort waldo kitty (Oct 08)
  - Re: Fine tuning Snort Josh Little (Oct 08)
    - Re: Fine tuning Snort James Lay (Oct 08)

(Thread continues...)