[Snort-users] Making Snort Rules More "Sensitive"
dataking at ...5190...
Tue Jun 17 08:53:16 EDT 2003
Roger that! Good point!
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Erek Adams
Sent: Tuesday, June 17, 2003 8:47 AM
To: Rich Lichvar
Cc: Snort Users List (E-mail)
Subject: Re: [Snort-users] Making Snort Rules More "Sensitive"
On Tue, 17 Jun 2003, Rich Lichvar wrote:
> 2. We got dinged in a security audit last year about our IDS rules
> not being "sensitive enough" and were told we needed to raise (lower?)
> sensitivity thresholds. Okay, if some one can tell me where to start
> to accomplish this, I'd really appreciate the help.
Sounds like they need to give you more information. It's not clear if
they mean "the rules are giving too many false positives" or "the rules
are not alerting enough". What specifically are they expecting? And if
you don't mind, just who are "they"?
At the most basic level, there isn't any "threshold" you can set. It's
just a matter of rule tuning for either problem. If you don't have
configured correctly, you'll not get 'everything'.
Find out what they mean and then it'll be easier to point you in the
"When things get weird, the weird turn pro." H.S. Thompson
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users