[Snort-users] Rules optimization

Erek Adams erek at ...950...
Wed Jun 18 10:20:14 EDT 2003


On Wed, 18 Jun 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:

> I have used Snort ver 1.8.7 on Redhat Linux 7.3 with Default Rules provided

[...snip...]

You need to upgrade.  Versions <=1.9.1 have a nasty remotely exploitable
hole in them.

As for rule tuning, it sounds like you don't have the HOME_NET and
EXTERNAL_NET variables set correctly.  HOME_NET should be set to the
network you want to "watch", and EXTERNAL_NET should be everything else.
So if your network was 10.10.10.0/24:

	var HOME_NET 10.10.10.0/24
	var EXTERNAL_NET !$HOME_NET

With those settings it should reduce the number of false postives you get.

As for tuning, you simply have to get Snort setup and working, and then
examine each and every alert.  You have then decide if the packets are
'normal' or not.  You'll discover things that you need to setup pass rules
for, add BPF filters or add a rule for.  Something like Ntop [0] is very
helpful in this respect to get a nice 'overview' of your networks traffic.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.ntop.org/




More information about the Snort-users mailing list