[Snort-users] Making Snort Rules More "Sensitive"

Erek Adams erek at ...950...
Tue Jun 17 08:48:14 EDT 2003


On Tue, 17 Jun 2003, Rich Lichvar wrote:

> 2. We got dinged in a security audit last year about our IDS rules (Snort)
> not being "sensitive enough" and were told we needed to raise (lower?) the
> sensitivity thresholds. Okay, if some one can tell me where to start looking
> to accomplish this, I'd really appreciate the help.

Sounds like they need to give you more information.  It's not clear if
they mean "the rules are giving too many false positives" or "the rules
are not alerting enough".  What specifically are they expecting?  And if
you don't mind, just who are "they"?

At the most basic level, there isn't any "threshold" you can set.  It's
just a matter of rule tuning for either problem.  If you don't have Snort
configured correctly, you'll not get 'everything'.

Find out what they mean and then it'll be easier to point you in the right
direction.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list