Snort mailing list archives
Re: Reliability of signatures
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 04 Feb 2011 20:02:25 -0500
On 2/4/2011 14:03, beenph wrote:
All the changes to a submission system will still be context relevant and might not apply to you and you will end up having people who will not try to understand what they actually see but will basicly rely on that to apply automatic rules tunning and the problem will still be there for the "unknown" proportion of people who do no take time to tune and manage their rule set.
i can agree almost 100% on this paragraph... my tool and environment require tuning for the network being protected... even if one doesn't use my tool, they must tune snort's rules for their network or else they will be quite overrun by alerts that are not problematic for their network... i had the chance to work (from remote) on a system over in norway the other week... their snort was quite overloaded with "too many small tcp packets" alerts... it didn't take me long to discover that they have several cisco products in their setup... is also didn't take me long to discover that they have a lot of snmp traffic even though they are not using much/any of it... they may not even know that it is available or they may simply not have the tools to utilize the information in that snmp traffic... anyway, once i thresholded several snort rules and completely disabled other extremely talkative ones, it was much easier to see things on their network that were of interest and indicating possible problems... the sad part of this tale is that i've been working with them for over a year and describing the necessity and method of tuning but this was the first time that i had a chance to actively enter their system and do it myself... it was quite satisfying to get things cleaned up enough for them to actually start assisting in the protection of their network rather than them spending so much time wading thru cr4p alerts and basically giving up because of being overwhelmed... ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] Reliability of signatures, (continued)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matthew Jonkman (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures List Subscriptions (Feb 10)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures beenph (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures waldo kitty (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)
- Re: Reliability of signatures Crusty Saint (Feb 04)
- Re: Reliability of signatures Matthew Jonkman (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Crusty Saint (Feb 04)