[Snort-sigs] Commented out rules in snort-rules.tgz

Alex Kirk alex.kirk at ...435...
Tue Jun 12 08:36:57 EDT 2007


Shirkdog is correct. Rules get commented out for one of a number of reasons:

* They could generate lots of FPs (either generally or in certain 
environments)
* They're only useful in very specific environments, so it's not worth 
making Snort work that much harder unless your environment has the 
specific thing the rule is looking for
* They're performance hogs, and should only be enabled if you really 
care about the thing that they're looking for

While tuning your IDS/IPS is still one of the most important things you 
can do as an administrator of such a system, those in charge of rule 
distributions are essentially doing a first level of (very rough) tuning 
for you by commenting out some rules. Note that this tuning is only a 
suggestion, and that depending on your environment, the choice to 
disable a rule may not be an appropriate one. Get to know your network, 
and you'll be able to figure it out.

Alex Kirk
Research Analyst
Sourcefire, Inc.
> Hello,
>
> I would like to know why in the snort-rules.tgz are some rules commented
> out? ("#alert ...") Is that because they tend to generate false
> positives? because they are very specific to some environments? some
> other reason? :-)
>
> Best regards,
>   





More information about the Snort-sigs mailing list