[Snort-sigs] Fine tuning snort rules.

Kirk Ismay captain at ...39...
Thu Mar 29 18:43:59 EST 2001

I'm a new user to snort and am trying to fine tune my snort configuration.
(Snort 1.7)
I'm trying to fine tune it so that I get less than 1500 alerts. I'm having a
little trouble with two in particular, both are false positves.

The first:

I am getting a large number of false positives on the WEB-CGI rules, in
particular the ksh access rule. The rule in question is:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI ksh access";
flags:A+; content:"/ksh"; nocase; reference:cve,CAN-1999-0509;)

It turns out that our web server is hosting a site  with a directory /kshome,
and it happens to be a very busy site, so this generates a large number of

So obviously the rule needs to be refined. My question is what would be the best way?

I was thinking that changing it to content: "/ksh?" should cause it to only look at actual requests for the korn shell. My only concern is that this might narrow it down too far?

The second:

I get a lot of messages about [**] MISC source port 53 to <1024 [**]
As it happens, the traffic is between our DNS server and other DNS servers, both communicating on port 53.

I'm pretty sure its valid. And I have the DNS servers listed in my snort.conf file.

Any help will be appreciated.


Sincerely, Kirk Ismay
The Net Idea Telecommunications Inc            Support: tech at ...39...
101-625 Front Street,                          Sales:  sales at ...39...
Nelson BC, V1L 4B6
Phone: 352-3512 Fax: 352-9780            Open Monday to Friday 9:30-5:30
Toll Free: 1-888-246-4222                   10:00 - 4:00 on Saturdays

More information about the Snort-sigs mailing list