[Snort-users] Snort Questions

Mike Shaw mshaw at ...3165...
Thu Jun 20 07:35:10 EDT 2002


At 08:23 AM 6/20/2002 -0400, Sandy Martin wrote:
>First, after looking through the rules, I noticed a wide variety of rules
>for a cross section of platforms. I understand that they were written that
>way on purpose. My question is, is it ok to go through and edit these rules
>to remove all of the *nix related stuff? Our network is composed of 20
>nodes. All Windows 2000 with 1 Windows 2000 Server. The server is a DC but
>not a web/mail, etc. server. So, I was thinking that to improve performance
>and reduce false positives, I could go through and edit the rules leaving
>only the Win32 stuff in. Is this a good route to go?

I like to keep some of those non-applicable rules running, as they can give 
insight into what people are trying (really noisy scanners, etc).

-Mike





More information about the Snort-users mailing list