Snort mailing list archives

Re: snort rule application

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sat, 5 Sep 2015 12:46:38 +0000

May want to check out this first:

https://www.snort.org/faq/can-i-have-help-with-my-homework

--
Joel Esler
Manager, Threat Intelligence and Open Source
Talos Group
Sent from my iPhone

On Sep 4, 2015, at 11:02 PM, Bruce Rosenthal <bsr3635 () gmail com<mailto:bsr3635 () gmail com>> wrote:

Interested in anyone who has implemented the following snort approach. This approach is focused on deploying snort in
passive “detection” mode only - i.e. traffic is alerted on but not dropped or rejected.

1. configure a set of rules that alert on packets that are verified as “good” patterns. have these rules log to a
specific log file defined in the rules comprising this “good traffic” set for further analysis described below. logging
is done using the logto attribute

2. also configure snort rules in the more traditional approach to alert on malicious signatures. include in this “bad”
set of rules the logto attribute to log to a different “bad traffic” log.

3. log all the traffic that is being monitored by snort to a “all traffic” log.

4. have the snort sensors configured this way forward the “good” and “bad” alert-driven logs to a data analytics
application that will also receive the “all traffic” set.

5. then, perform an analysis of these three sets that takes the differential of the “good” and the “bad” from the total
to arrive at a residual set of traffic that doesn’t fit either the good or the bad set.

Purpose of the approach: to conduct further analysis of the residual set in order to disposition the residual into
either the “good” or the “bad” as part of an on-going snort tuning process.

Interested in anything being done like this or similar variant.

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort rule application Bruce Rosenthal (Sep 04)
- Re: snort rule application Joel Esler (jesler) (Sep 05)