Snort mailing list archives
Threshold.conf best practices
From: Jon Price <JonP () insync-socal com>
Date: Thu, 5 May 2016 02:46:49 +0000
We are running a few snort boxes that are monitoring a few thousand hosts. I've been tuning my snort instance by suppressing / rate limiting alerts based off time/ src and dest. So far so good.... What I'd like to ask is; Are there any best practices regarding how many suppression rules or lines in the threshold.conf there should be. At some point one would think to just disable the rule. For example: ET POLICY Dropbox DNS Lookup; we suppress this for about 200 hosts (each their own line in threshold.conf) but alert on any others. Same exceptions go for 20-30 other rules and that gives me a 2000+ line threshold.conf. No issues detected, but maybe my snort instance is struggling but I don't see it. Thanks for your time. Hopefully I didn't sound too dumb on my first list post. -jp
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Threshold.conf best practices Jon Price (May 04)