[Snort-users] Generating reports

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Tue Sep 21 00:49:03 EDT 2004


--On 20 September 2004 16:57 -0400 Marie Severe 
<Msevere at ...12456...> wrote:

> Can anyone please give me advice on generating reports with Snort?
> Currently, the default rules are giving me too much information. How can
> I fine-tune Snort and generate reports which provide information and not
> just an overload of data? Any help will be appreciated.

I'll list my usual approach to tuning IDS rules:

1) disable rules that are too vague and only alert to *possible* 
reconnaissance attempts.

2) for rules that are triggered legitimately by certain hosts (e.g. routers 
generating SNMP traffic, etc), disable those rules for those hosts.

3) for rules that are still noisy, set thresholds.

> Thank you,

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list