[Snort-users] Making Snort Rules More "Sensitive"

L. Christopher Luther CLuther at ...6333...
Tue Jun 17 09:37:02 EDT 2003

Can you be more explicit in what exactly "sensitivity thresholds" means?  

AFAIK, there is no sensitivity threshold for the various rules -- either the
packet matches or it doesn't.  

However, the original portscan preprocessor has threshold settings [0]:  xx
number of ports accesses within xx seconds.  The portscan2 preprocessor also
has threshold settings [1].  



[0] http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.4.2
[1] http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.4.7

-----Original Message-----
From: Rich Lichvar [mailto:rlichvar at ...9486...]
Sent: Tuesday, June 17, 2003 11:27 AM
To: Snort Users List (E-mail)
Subject: [Snort-users] Making Snort Rules More "Sensitive"

1. I'm a Snort (and pretty much Linux/Unix) newbie. Just getting back into
this after several months hiatus.

2. We got dinged in a security audit last year about our IDS rules (Snort)
not being "sensitive enough" and were told we needed to raise (lower?) the
sensitivity thresholds. Okay, if some one can tell me where to start looking
to accomplish this, I'd really appreciate the help.

Richard L. Lichvar
Director, Operations
Knowledge Resource Center, Inc.
Phone: 703-848-2100 x228
Fax: 703-848-4747
Mobile: 571-221-3430

This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list