[Snort-users] Good Snort Signatures

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Wed Aug 25 01:36:13 EDT 2004


--On 24 August 2004 15:15 -0400 "Keith W. McCammon" <mccammon at ...11827...> 
wrote:

[snip]

> The rules are not "bunk."  You have probably failed to tune your
> sensor(s).  Most FPs/FNs are caused by operators who don't do things
> like disable preprocessor options that don't apply, comment out rules
> for services that aren't running, set variables appropriately, etc.
>
> You can pay tens of thousands for some other IDS, with some other
> ruleset.  If you turn everything on without tuning, you'll have the
> same result.  Throwing money at the problem won't make the problem go
> away :)

...and what's more, the commercial NIDS I've used (ISS RS, and Cisco SIDS) 
don't allow you to see what their 'signatures' are even looking for (I 
think Cisco, at least, were planning on opening it up a bit - but not for 
signatures matching vulnerabilities that hadn't yet been patched by the 
respective vendors). Therefore, the only options you have were to disable 
rules, or limit them to certain IP addresses and ranges.

Because Snort's rules are open, it's possible to refine what they're 
looking for quite easily.

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list