Snort mailing list archives

Re: HELP ON SNORT

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 30 Jan 2012 08:42:18 -0500

On Jan 30, 2012, at 7:53 AM, Paul Halliday wrote:

On Sun, Jan 29, 2012 at 8:47 PM, Joel Esler <jesler () sourcefire com> wrote:

On Jan 29, 2012, at 7:38 PM, Dustin Webber <dustin.webber () gmail com> wrote:

I have heard these concerns as well and it always ended up being someone who didn't tune their sensor and had 150k 
events every 30 minutes.


Agreed!


So do we just shake our fingers at them and move on?


No.  It starts at my/our level.  We have to make the engine easier to use, simpler to tune, easier to understand.  That 
has a lot of steps to it, everything from making detection simpler, more effective, and easier to write rules for (and 
understand), to making memory management easier and making less needed configuration changes "out of the box".  

Then it comes to the organization, on/off state, and clarity of the ruleset.  File-identify was the first of those 
steps, so was the cleanup (I have a blog post about this upcoming), the next step that we're doing in that process will 
take place over the next six months, and will fundamentally change how Snort tuning is done.  (More on this soon in a 
blog post before we begin the process, and since it will affect EVERYONE, it will be posted on the blog and all our 
mailing lists.)

Steps 4 and 5 of the ruleset changes (I'm planning to) happen later this year.  (2012 is going to be a big year for the 
VRT ruleset.)

It involves coordination with open source products to make things easier to use and tune.  All things on my plate for 
this year.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: HELP ON SNORT, (continued)
- - - Re: HELP ON SNORT Jeremy Hoel (Jan 27)
    - Re: HELP ON SNORT Castle, Shane (Jan 27)
    - Re: HELP ON SNORT Joel Esler (Jan 27)
    - Re: HELP ON SNORT Heine Lysemose (Jan 28)
    - Re: HELP ON SNORT Dustin Webber (Jan 28)
    - Re: HELP ON SNORT Martin Holste (Jan 29)
    - Re: HELP ON SNORT Joel Esler (Jan 29)
    - Re: HELP ON SNORT Dustin Webber (Jan 29)
    - Re: HELP ON SNORT Joel Esler (Jan 29)
    - Re: HELP ON SNORT Paul Halliday (Jan 30)
    - Re: HELP ON SNORT Joel Esler (Jan 30)
    - Re: HELP ON SNORT Paul Halliday (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 30)
    - Re: HELP ON SNORT Jefferson, Shawn (Jan 30)
    - Re: HELP ON SNORT Lay, James (Jan 30)
    - Re: HELP ON SNORT Jeremy Hoel (Jan 30)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 29)
    - Re: HELP ON SNORT Dustin Webber (Jan 30)
    - Re: HELP ON SNORT beenph (Jan 30)
    - Re: HELP ON SNORT Martin Holste (Jan 30)

(Thread continues...)