shawn . moyer
shawn at ...1184...
Thu Mar 1 01:43:01 EST 2001
Kevin.Brown at ...1022... wrote:
> The current ruleset is from whitehat, namely Vision.conf and is only 447 rules
> long (as opposed to 1130 rules from snortfull.conf). It was clocking
> 9GB/month with that ruleset (about 1,000,000 alerts per day) and was upped to
> 6GB/week because we modified the database structure to add more indexes to
> improve the read access on the db.
> It's hard to clean up the ruleset any further due to the fact that we can't
> access the db effectively enough to figure out if any of the rules are going
> off with false positives. The best I can due is find out what rules are going
> off the most (like ping with data of 00000000000000000000.....) and just
> disable the rule in an attempt to bring the db size under control and wait and
> see what rule pops to the top of the list next.
Everybody's situation is different, but what works for me to skip a lot
of the less useful ICMP messages is:
pass icmp any any <> any any (itype: 8;)
pass icmp any any <> any any (itype: 0;)
pass icmp any any <> any any (itype: 3;)
pass icmp any any <> any any (itype: 5; icode:1;)
pass icmp any any <> any any (itype: 5; icode:0;)
pass icmp any any <> any any (itype: 11; icode:0;)
I think the biggest is cause of false positives are the rules that just
check for ports / flags and not an actual signature. I know Jim has been
working on a major ruleset cleanup for awhile now.
I also set up pass rules for the AIM, Napster, ICQ, etc. rules, b/c
they're not relevant to me -- YMMV.
Also, I'm building some scripts here similar to Snorticus that break
Snort up into one process to sniff and one process to decode / log,
ideally on separate boxen. This breaks things up a bit behind realtime,
say five or ten minutes or so, but I'm wondering if part of the slowdown
you're experience is from Snort writing to the DB at the same time
you're running queries(?).
s h a w n m o y e r
shawn at ...1184...
Man will occasionally stumble over the truth,
but most of the time he will pick himself up and continue on.
More information about the Snort-users