[Snort-users] Rate of alert

Joel Esler joel.esler at ...1935...
Fri Aug 25 12:01:19 EDT 2006


The number of alerts depends on a million things (okay, well, maybe not a million, but.  several.)

How many rules you have turned on
Placement of sensor
amount of traffic
vulnerability of network
number of possibly compromised machines
bad programs
bad operating systems
untuned sensor
number of web servers
...
...
...

Start off by turning off rules that don't apply to you (ex.  don't run pop3 servers?  turn off pop3 rules), turn off rules that you don't care about (snmp, icmp, etc..)  tune your http_inspect preprocessor, ftp_telnet preprocessor, smtp preprocessor, frag3..  etc..etc...

That should give you a start.

Joel


On Fri, Aug 25, 2006 at 09:03:03AM -0500, Patrick S. Harper apparently sent me:
> You have to turn you snort.conf and your rules to weed these out.  Setting
> it up is the easy part, tuning is the hard part.
> 
> -----Original Message-----
> From: snort-users-bounces at lists.sourceforge.net
> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of Denis
> Sacchet
> Sent: Friday, August 25, 2006 8:32 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Rate of alert
> 
> Hello everybody,
> 
> I wonder if 60 unique alerts (for about 10000 alerts) is normal for a
> snort configuration. Moreover, those alerts seems to not correspond
> every time, and I adjust my rules to filter for example vulnerability on
> IMAP server type, but my IMAP server is not of this type, IIS attack
> onto apache web server, etc ...
> 
> Perhaps something is wrong in the configuration used.
> 
> Thanks for your point of view and your input about the number of alert
> and the type;
> 
> Best regards
> 
> Denis Sacchet
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
           aim:eslerjoel  ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+




More information about the Snort-users mailing list