[Snort-users] HOWTO on managing IDS rules?

Jason Haar Jason.Haar at ...294...
Tue Sep 25 15:30:03 EDT 2001


I've been running snort for some time now, and am trying to formalize how we
handle signature management.

As we all know, False Alerts are not our friends. I'm trying to generate a
more appropriate way of dealing with signatures, and as always, would like
to hear from others if this is a Good Idea...

So, we have a DMZ. We get our obligatory 10,000 CodeRed/Nimda alerts per
week from Snort. We are not interested in these alerts, as our servers are
patched and/or Apache. OTOH, we don't want to stop detecting CodeRed/Nimda
as one day some git (i.e. me :-) may put an unsecured M$ IIS server in the
DMZ without thinking. So what we really want is to:

1> stop reporting on attack types we know ourselves to be immune to, to
   reduce the amount of logs that need checking.
2> document that this attack (from Internet to DMZ) is no longer being
   looked for.
3> start reporting on the same attack FROM DMZ TO INTERNET. This way we
   should catch any erroneously installed machines at a later date.

Sounds like a plan? Any other ways people are dealing with this "information
overload"? 

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list