[Snort-sigs] Fine tuning snort rules.
captain at ...39...
Thu Mar 29 18:43:59 EST 2001
I'm a new user to snort and am trying to fine tune my snort configuration.
I'm trying to fine tune it so that I get less than 1500 alerts. I'm having a
little trouble with two in particular, both are false positves.
I am getting a large number of false positives on the WEB-CGI rules, in
particular the ksh access rule. The rule in question is:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI ksh access";
flags:A+; content:"/ksh"; nocase; reference:cve,CAN-1999-0509;)
It turns out that our web server is hosting a site with a directory /kshome,
and it happens to be a very busy site, so this generates a large number of
So obviously the rule needs to be refined. My question is what would be the best way?
I was thinking that changing it to content: "/ksh?" should cause it to only look at actual requests for the korn shell. My only concern is that this might narrow it down too far?
I get a lot of messages about [**] MISC source port 53 to <1024 [**]
As it happens, the traffic is between our DNS server and other DNS servers, both communicating on port 53.
I'm pretty sure its valid. And I have the DNS servers listed in my snort.conf file.
Any help will be appreciated.
Sincerely, Kirk Ismay
The Net Idea Telecommunications Inc Support: tech at ...39...
101-625 Front Street, Sales: sales at ...39...
Nelson BC, V1L 4B6
Phone: 352-3512 Fax: 352-9780 Open Monday to Friday 9:30-5:30
Toll Free: 1-888-246-4222 10:00 - 4:00 on Saturdays
More information about the Snort-sigs