[Snort-users] Filtering alerts

Richard Brackett rbrackett at ...10146...
Tue Sep 23 06:43:11 EDT 2003


I understand what you're saying, but what about a rule I'm interested in
like the IIS Code Red rule. I know that all my current servers are
patched against it so the alerts I get are just noise. I'm loath to
disable the rule though because I never know when someone might put up
an unpatched IIS box and get it infected. So, I'd like to be able to say
"Don't alert when you see this attack to these addresses, but please
alert to any other address." The only way to do it with Snort seems to
be to use pass rules, which are supposed to take more CPU cycles to
process. The BPF rules don't help me with individual SID's, just IP's
and protocols.

Is there an output processing system that will filter alerts before
sending them to mysql for ACID to look at?


-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: Tuesday, September 23, 2003 6:52 AM
To: Richard Brackett
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Filtering alerts

On Mon, 22 Sep 2003, Richard Brackett wrote:

> Yes, I saw that. That's why I upgraded to 2.0.2. :-)
>
>
> It doesn't help me with "noise" though. For example, I don't care
about
> the various IIS related signatures that fire against my Citrix
servers.
> They aren't vulnerable to those attacks. I don't want to turn the rule
> off though, because I have IIS servers and I never know when some yutz
> is going to put a new one up without patches.

It's called "rule tuning".

Offhand, I'd guess that you're running the standard default ruleset.  If
you are that's your trouble.  Those default rules aren't setup to be
used
in a "real world" situation due to how noisy they are.  They are more
suited for some sort of small net with a low amount of traffic.

If using that, you simply need to go over each rule and decide how
important it is for your network.  Disable rules as needed, and fine
tune
others.

You can also use BPF filters which saves you on processing overhead.
Check FAQ 3.9 [0].

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.snort.org/docs/FAQ.txt




More information about the Snort-users mailing list