[Snort-users] Generating reports
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Tue Sep 21 00:49:03 EDT 2004
--On 20 September 2004 16:57 -0400 Marie Severe
<Msevere at ...12456...> wrote:
> Can anyone please give me advice on generating reports with Snort?
> Currently, the default rules are giving me too much information. How can
> I fine-tune Snort and generate reports which provide information and not
> just an overload of data? Any help will be appreciated.
I'll list my usual approach to tuning IDS rules:
1) disable rules that are too vague and only alert to *possible*
2) for rules that are triggered legitimately by certain hosts (e.g. routers
generating SNMP traffic, etc), disable those rules for those hosts.
3) for rules that are still noisy, set thresholds.
> Thank you,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users