[Snort-users] Rules optimization
erek at ...950...
Wed Jun 18 10:20:14 EDT 2003
On Wed, 18 Jun 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:
> I have used Snort ver 1.8.7 on Redhat Linux 7.3 with Default Rules provided
You need to upgrade. Versions <=1.9.1 have a nasty remotely exploitable
hole in them.
As for rule tuning, it sounds like you don't have the HOME_NET and
EXTERNAL_NET variables set correctly. HOME_NET should be set to the
network you want to "watch", and EXTERNAL_NET should be everything else.
So if your network was 10.10.10.0/24:
var HOME_NET 10.10.10.0/24
var EXTERNAL_NET !$HOME_NET
With those settings it should reduce the number of false postives you get.
As for tuning, you simply have to get Snort setup and working, and then
examine each and every alert. You have then decide if the packets are
'normal' or not. You'll discover things that you need to setup pass rules
for, add BPF filters or add a rule for. Something like Ntop  is very
helpful in this respect to get a nice 'overview' of your networks traffic.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users