[Snort-users] Rule Selection
360air at ...5068...
Mon Feb 21 07:09:23 EST 2005
Not an approach I'd recommend...you may reduce your false positives, but are
still subject to human error and subsequent true negatives. Man hours vs.
Consider using an approach that involves 'turning off' certain rules rather
than groups of rules. Define your environment in snort.conf, and turn off
rules you know you do not need.
Even though only tcp/80 is the only port listening, you have other attack
vectors; shellcode, icmp floods, etc. that the ids can correlate on. Keep in
mind a targetted attack may attempt other avenues, and it'd be nice to
correlate that in the alerts.
Just my $0.02
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rudi Starcevic
Sent: Thursday, February 10, 2005 10:30 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Rule Selection
A colleague of mine suggested to me that a machine with only port 80 open (
www server ) one should only use www Snort rules.
That would mean not using alot of available rules for intrusion detection,
is that wise ?
SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users