[Snort-users] Good Snort Signatures

Keith W. McCammon mccammon at ...11827...
Tue Aug 24 12:16:02 EDT 2004


Try this (talks a good deal about tuning):

http://www.amazon.com/exec/obidos/tg/detail/-/0735712654/

And then this (talks about tuning Snort, specifically):

http://www.amazon.com/exec/obidos/tg/detail/-/1931836043/

Then, once you're back to implementation, maybe check out something
like this (console that allows you to monitor more efficiently):

http://sguil.sourceforge.net

The rules are not "bunk."  You have probably failed to tune your
sensor(s).  Most FPs/FNs are caused by operators who don't do things
like disable preprocessor options that don't apply, comment out rules
for services that aren't running, set variables appropriately, etc.

You can pay tens of thousands for some other IDS, with some other
ruleset.  If you turn everything on without tuning, you'll have the
same result.  Throwing money at the problem won't make the problem go
away :)

On Tue, 24 Aug 2004 13:57:15 -0400, Adriel T. Desautels
<atd at ...10635...> wrote:
> Greetings List,
>        Does anyone here know where I can find low false positive snort
> rules?  The rules from snort.org are simply bunk.  They generate way too
> many false positives and even false negatives during certain types of
> events. I am not adverse to purchasing snort rules either, I just need
> something that works.
> 
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list