[Snort-users] Good Snort Signatures <-- is all in tuning

Keith W. McCammon mccammon at ...11827...
Tue Aug 24 19:28:21 EDT 2004


Check out Sourcefire's Defense Center solution.  3D uses their RNA
system, which is system- and network-aware to contextualize and
prioritize sensor alert data.  Note that this is not an auto-tuning
IDS, but does use information about your local network, as well as
policy-based parameters, to help you "cut to the chase" when dealing
with alert data.

http://sourcefire.com/products/mgmt.html

On Tue, 24 Aug 2004 22:03:13 -0400, Adriel T. Desautels
<atd at ...10635...> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Patrick et All,
>         This is what I had suspected all along but wanted to check my
> thoughts against you folks. I heard rumors about "better rules" or
> "more well written rules" but have never seen such rule sets. My next
> adventure, does anyone know of a utility which will configure snort
> rules automatically based on a detected network configuration? If so,
> please let me know.
> 
> Adriel T. Desautels
> Founder and CTO
> Secure Network Operations
> Embracing the future of technology, protecting you.
> Office:  978-263-3829    Fax: 978-263-3313
> atd at ...10635...      www.secnetops.com
> 
> - -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Patrick
> S. Harper
> Sent: Tuesday, August 24, 2004 8:31 PM
> To: atd at ...10635...; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Good Snort Signatures
> 
> I believe the problem is not in the rules but in the tuning.  It is
> not an hour or two process for ANY ids.  I have worked with most of
> the major versions in the last 5 years and even worked as an SE for
> one of the manufactures.
> 
> I find that a lot of people just install snort, crank it up, open
> acid and get overwhelmed.  You have variables to define, and you need
> to do all of them nit just home and external net.  Then you need to
> go through and get rid of the rules that do not mean anything to you.
> 
> Patrick S. Harper | CISSP RHCT MCSE
> www.internetsecurityguru.com
> 
> www.ntsug.org - Snort Users Group
> 
> "If there is no light at the end of the tunnel, get down there and
> light the damn thing yourself!"
> 
> - -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Adriel
> T.
> Desautels
> Sent: Tuesday, August 24, 2004 12:57 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Good Snort Signatures
> 
> Greetings List,
>         Does anyone here know where I can find low false positive snort
> rules?  The rules from snort.org are simply bunk.  They generate way
> too many false positives and even false negatives during certain
> types of events. I am not adverse to purchasing snort rules either, I
> just need something that works.
> 
> - -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank
> Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only
> $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> - -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank
> Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only
> $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
> 
> iQA/AwUBQSvzYbR5YB3MHZrzEQLQPgCfaDkmLwANLp709ruHy+qcMnMpogQAnA3X
> yLmEKnRaNypwDPn/ApxaZN/V
> =vo/A
> -----END PGP SIGNATURE-----
> 
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list