[Snort-sigs] Ultimate Rule List

David Wilburn bug at ...270...
Mon May 19 09:56:02 EDT 2003

On Mon, May 19, 2003 at 07:47:25AM -0700, Greg Powell wrote:
> In theory is there an ultimate rule set that could be written to reduce
> false positives? I am trying to understand if most of the current rules are
> written to catch as many intrusions as possible by using a small set of
> rules. Does anyone see it as possible to write a large set of rules that
> could limit the number of false positives?
> My assumptions are that some false positives are generated by the fact that
> the rules are too loose. I would like to be the first to indicate that I may
> be wrong in this assumption (so let me know if this is not the case). If
> this is true then could there be some larger set of more refined rules that
> would better block each intrusion?
> I do understand that there may be a cpu/memory consumption trade off but I
> am not sure I understand how large that impact would be.

First off, an IDS does not block anything, it detects things.  If you
are using some sort of active response or automatic filtering in
your NIDS without EXTREME care, you need to get your head examined.

Secondly, your rules will need to be tuned properly for your environment,
so there is no single "ultimate rule set."  There will be rules that
are on by default in the snort rules that are inappropriate in your
environment.  Try seeing if there are a handful of hosts responsible for
the vast majority of your false positives, and use Snort variables to
have your ruleset ignore those hosts for the rules that generate the
false positives.  Consider disabling some of the rules outright, 
if filtering isn't practical for your needs.  You might find that
the regular old Snort ruleset works quite well for you if you spend just
a bit of time tuning it.

There would be a cpu/memory tradeoff, certainly.  However, the biggest
tradeoff would be in terms of rule flexibility in catching modified or
wholly unknown attack tools.

With a signature-based IDS, you've basically got two choices:  1) make
your signatures very specific to the known exploits, or 2) make your
signatures general enough that they can catch modified or unknown attack

With #1, you will generally have a lower false positive rate, but also a
higher false negative rate (meaning you just won't catch modified or
unknown tools).  It would be trivial for a bad guy to slightly modify
the exploits to work around the signatures, or to use one of several
publically available tools for automatically altering the exploit.
You won't catch anyone but the script kiddies.

With #2, often you'll target your signatures to look for accesses of
vulnerable functions, or more generic oddities.  You'll probably get a
higher false positive rate, but you'll also probably have a much greater
chance of catching modified attack tools or previously unknown attack
methods.  There's no guarantee, of course, and anyone with half a brain
accepts the fact that no IDS will ever catch the "really really really
bad guys," but at least you've got a leg up on the folks who are
slightly more evolved than hamsters and script kiddies (but I repeat

It varies from rule to rule, of course, but most of the official rules
appear to me to follow method #2.


More information about the Snort-sigs mailing list