[Snort-users] Automated snort tuner
mkettler at ...4108...
Mon Apr 28 11:35:06 EDT 2003
At 03:02 PM 4/28/2003 +0100, Always Bishan wrote:
>Do we have an automated tuner for snort, or Is anybody
"automated tuner"? Do you mean something that automatically re-tweaks your
ruleset for you?
Personally, I don't think I'd advise anyone to consider writing such a
tool. People might be tempted to use it and not tune their setups themselves.
There's a very large amount of subjective opinion that goes into tuning a
snort setup and an immense number of variables to consider. Any automated
tool would do a half-assed job at best.
You could argue that an automated tuning would be a good starting place,
but I'd suspect most sysadmins would use it, and leave it as is without
thinking about it. Besides, you need to be intimately familiar with your
configuration in order to be able to make good sense of the alerts that are
generated anyway. So auto-tuning doesn't save you much time anyway. You'll
still have to thumb through the ruleset manually.
More information about the Snort-users