[Snort-users] Making Snort Rules More "Sensitive"

D@...9454...@K|N& dataking at ...5190...
Tue Jun 17 08:51:13 EDT 2003

I would say start looking at the alerts that you DO get for one.
Second, I would say that you should bring up a small tcpdump box.
Something with a big hard-drive, a fast network card (and that's about
it).  Set up some regular tcpdumps during normal working hours, and
other times ("hacker popular times") and then examine the data that you
get from the dump box.  Look at the data that you are actually
receiving/sending, compare that to what you are already filtering for,
and go from there.  Also, examine the possibility (if not already in
place) of setting up an "inward looking" IDS.  The "bad guys" can be on
the inside just as easily as they can be on the outside.  Finally, know
what is on your network.  If you don't have a webserver, you may not
need web server rules, etc.  Other than that, I think we would need to
know what you already have in place to be able to make suggestions.

Good luck.

-the dataking

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rich
Sent: Tuesday, June 17, 2003 8:27 AM
To: Snort Users List (E-mail)
Subject: [Snort-users] Making Snort Rules More "Sensitive"

1. I'm a Snort (and pretty much Linux/Unix) newbie. Just getting back
this after several months hiatus.

2. We got dinged in a security audit last year about our IDS rules
not being "sensitive enough" and were told we needed to raise (lower?)
sensitivity thresholds. Okay, if some one can tell me where to start
to accomplish this, I'd really appreciate the help.

Richard L. Lichvar
Director, Operations
Knowledge Resource Center, Inc.
Phone: 703-848-2100 x228
Fax: 703-848-4747
Mobile: 571-221-3430

This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list