Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort rule tuning and weeding out false positives

From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 17 Mar 2011 08:57:55 -0400
Tuning is always one of the more interesting parts of setting up Snort. The
good news is, you've already essentially stated the guiding principle of the
process: use only what you actually need.

The easy first step - beyond using PulledPork to start out with one of the
VRT-recommended default policies - is to turn off entire categories of rules
that don't apply; for example, if you've got no Oracle servers to defend,
oracle.rules stays off. From there, depending on how confident you are in
your environment's patching process, you can go through and start turning
off older rules; as a rule of thumb, anything more than 5 years old is
pretty much a case of "default is off, until proven otherwise". You can also
go ahead and disable individual rules for software you don't have.

That said, as for the particular event you're getting hits on - if you want
to send some sample events over to me directly, I'd be curious to see if
they look like legit attacks or if we need to tune the rule.

On Thu, Mar 17, 2011 at 8:30 AM, Youngquist, Jason R. <jryoungquist () ccis edu

wrote:



 Hi.



I’m new to Snort and am trying to weed out false positives and ignore
events that are purely informational.  I was wondering if anyone could
recommend any good howtos/docs/methodology on how to go about Snort rule
tuning.



For example, I have this rule, sid 17441, which is “CHAT MSN Messenger and
Windows Live Messenger Code Execution attempt” and have gotten it several
times from multiple student machines.  It appears that this was an issue
back in 2007 with Microsoft MSN Messenger 6.2, 7.0, and 7.5.  Right now,
 Windows Live Messenger 2011 seems to be the current version.  So assuming
that this is a false positive and I can ignore this rule.  Thoughts?



Thanks.

Jason Youngquist

Information Technology Security Engineer

Technology Services

Columbia College

1001 Rogers Street, Columbia, MO  65216

(573) 875-7334

jryoungquist () ccis edu

http://www.ccis.edu




------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: