[Snort-users] One for the Wishlist

Erickson Brent W KPWA erickson at ...160...
Sat Aug 26 02:36:10 EDT 2000

Hello fellow snorters,

I agree. Snort does an exceptional job. Snort out performs many commercial
IDS systems. Snort's rule base is superior and kept very current thanks to
all of you. 

The bottom line for me is, you must know and understand your own unique
traffic patterns and customize the Snort rule base accordingly.

If you do not understand your own traffic, you are Snorting in the dark.


> -----Original Message-----
> From:	A.L.Lambert [SMTP:alambert at ...387...]
> Sent:	Friday, August 25, 2000 10:42 PM
> To:	Snort-Users (E-mail)
> Subject:	RE: [Snort-users] One for the Wishlist
> > Why not have snort extract the severity from a field in the rule
> > itself. 
>  	My argument against that would be more overhead for snort while
> doing rule processing.  If I'm wrong, and you can add more fields for
> snort to take into account while it's snarfing traffic/generating alerts
> w/o adding *any* overhead, then I don't suppose I would have much of a
> complaint (other than in principle I think parsers should handle parsing,
> and sniffers should handle sniffing :).
> 	(and yes, I know the overhead would be fairly negligible, but some
> of us are using snort in some extreme enough bandwidth/sysload situations,
> that every last CPU cycle is better devoted to snarfing/analyzing traffic,
> than prettyfying things for parsers which can just as easily do the job
> w/o causing any overhead on the snort machines).
> > Then its a simple generic change to snort, the severity can be easily
> > changed by the users, and it could be backwards compatible to existing
> > rulesets.
> 	Yes, but OTOH, a similarly simple change to the way information is
> parsed by analysis tools gives the same results, w/o having to muck with
> the relatively huge existing databases of rules, w/o having to change
> anything to do with snort.  Same end result, and less work to be done.  
> 	And also, IMHO, it is better from a security standpoint that each
> individual running snort pay enough attention to know what's normal on
> THEIR network, and set their own severity levels accordingly, and not have
> severity levels determined generically.  Most networks are somewhat
> unique, and what's normal traffic on my network that generates
> false-alarm-X, may never be seen on your network unless someone's doing
> something very bad.
> 	Apologies to any whom I might have just offended by my opinions,
> and as always, YMMV. :)
> 	--A.L.Lambert
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list