[Snort-users] RE: Automated snort tuner - IDEA?

Scott, Joshua Joshua.Scott at ...1955...
Tue May 6 01:25:11 EDT 2003

There are a couple different ways of looking at this scenario:  

One is the small company with only a few networks.  The
Network/Systems/IDS/etc administrator is probably already pretty familiar
with their networks so implementing IDS and manually tuning the rules should
not be too grueling of a task.  

The other scenario is the large company such as mine.  I've got about 6 IDS
sensors setup today but I'd like it to eventually expand to include our
critical offices.  That total number of sensors I'd be managing could get
close to 100 without including additional Snort instances for each segment.
I've already got a standard Linux config so the hardware/software portion
would be a breeze.  The issue would be with the tweaking and management of
the ruleset.  Unfortunately, I'm the only IDS administrator and I only get
to wear that hat about 1-2 hours a day.  Without some type of automated or
assisted configuration tool, I'll be unable to really benefit from the IDS.
I'll be overloaded with false positives and information messages.

This automated tool could be a great benefit to the security community if
done properly.  Simply because other tools were done half-assed is not a
reason to scrap this idea.  If done properly, this tool wouldn't hurt
sysadmins, but benefit them by showing what rules are being disabled/enabled
and what may be affected.  In the current scenario, I would bet many
sysadmins leave all the default rules enabled.  I know from experience that
with all rules enabled, many legitimate rules can be overlooked due to the
sheer amount of events.  

Before any tool of this nature is going to work effectively, the
documentation of all existing rules will need to be completed.  Also, the
classification types should include some kind of documentation as to their
use.  These categories could be a great assistance in an automated
configuration/tuning tool.  I also think that adding a new field or category
to each rule that lists the affected vendor/application/version (if any)
would be extremely useful.  The tool could then prompt the user as to what
types of systems are on the network and filter based on that.  I get rather
frustrated when I start getting hit with thousands of some "FTP Attack" and
I come to find out it is a rule for a vulnerability on some FTP server that
I don't have anywhere on my network.

I'm not saying this tool should handle 100% of the sensor tuning.  I still
think it does require some degree of interaction.  All changes should
require manual intervention and sufficient documentation should be provided
so the user is aware.  

Is anyone else experiencing the same frustrations as me with managing an IDS
infrastructure in the enterprise?  I've heard some companies actually have
budgets and staff for this kind of stuff!  What's that like? ;-)

Joshua Scott 
Security Architect, CISSP 

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...4108...] 
Sent: Monday, April 28, 2003 11:34 AM
To: Always Bishan; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Automated snort tuner

At 03:02 PM 4/28/2003 +0100, Always Bishan wrote:
>Hi guys,
>Do we have an automated tuner for snort, or Is anybody
>doing it?

"automated tuner"? Do you mean something that automatically re-tweaks your 
ruleset for you?

Personally, I don't think I'd advise anyone to consider writing such a 
tool. People might be tempted to use it and not tune their setups

There's a very large amount of subjective opinion that goes into tuning a 
snort setup and an immense number of variables to consider. Any automated 
tool would do a half-assed job at best.

You could argue that an automated tuning would be a good starting place, 
but I'd suspect most sysadmins would use it, and leave it as is without 
thinking about it. Besides, you need to be intimately familiar with your 
configuration in order to be able to make good sense of the alerts that are 
generated anyway. So auto-tuning doesn't save you much time anyway. You'll 
still have to thumb through the ruleset manually.

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

NOTICE - This communication may contain confidential and privileged 
information that is for the sole use of the intended recipient. Any viewing,
copying or distribution of, or reliance on this message by unintended
recipients is strictly prohibited. If you have received this message in
error, please notify us immediately by replying to the message and deleting
it from your computer.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030506/8a330ca0/attachment.html>

More information about the Snort-users mailing list