[Snort-users] Automated snort tuner

Matt Kettler mkettler at ...4108...
Mon Apr 28 11:35:06 EDT 2003

At 03:02 PM 4/28/2003 +0100, Always Bishan wrote:
>Hi guys,
>Do we have an automated tuner for snort, or Is anybody
>doing it?

"automated tuner"? Do you mean something that automatically re-tweaks your 
ruleset for you?

Personally, I don't think I'd advise anyone to consider writing such a 
tool. People might be tempted to use it and not tune their setups themselves.

There's a very large amount of subjective opinion that goes into tuning a 
snort setup and an immense number of variables to consider. Any automated 
tool would do a half-assed job at best.

You could argue that an automated tuning would be a good starting place, 
but I'd suspect most sysadmins would use it, and leave it as is without 
thinking about it. Besides, you need to be intimately familiar with your 
configuration in order to be able to make good sense of the alerts that are 
generated anyway. So auto-tuning doesn't save you much time anyway. You'll 
still have to thumb through the ruleset manually.

