[Snort-users] Rule Selection

Adam Kliarsky 360air at ...5068...
Mon Feb 21 07:09:23 EST 2005

Not an approach I'd recommend...you may reduce your false positives, but are
still subject to human error and subsequent true negatives. Man hours vs.
system compromise.
Consider using an approach that involves 'turning off' certain rules rather
than groups of rules. Define your environment in snort.conf, and turn off
rules you know you do not need.
Even though only tcp/80 is the only port listening, you have other attack
vectors; shellcode, icmp floods, etc. that the ids can correlate on. Keep in
mind a targetted attack may attempt other avenues, and it'd be nice to
correlate that in the alerts.
Just my $0.02

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rudi Starcevic
Sent: Thursday, February 10, 2005 10:30 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Rule Selection


A colleague of mine suggested to me that a machine with only port 80 open (
www server ) one should only use www Snort rules.
That would mean not using alot of available rules for intrusion detection,
is that wise ?

Best regards

SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list