[Snort-users] How we can identify and remove old signatures?

Paul Melson pmelson at ...11827...
Tue Jun 19 10:16:32 EDT 2007


> as you know snort has a lot of signatures that some of them are expired
now.
> Do you have any idea to identify and remove the expired signatures? (I
want to
> decrease the loading time)

I don't know about expired, but certainly many of them are several years old
and detect attacks that may not affect your environment because of the
systems that aren't present and also the patch levels of the systems that
are.  

Evaluating the signatures that affect your environment is something that you
will definitely need to dedicate some time to now and on a regular basis in
the future.  I recommend using a tool like Oinkmaster or Activeworx IDS
Policy Manager to aid you in managing your signature set.  It's the hardest
part of maintaining NIDS, but also the most valuable.  It not only helps
with sensor performance, but it also helps reduce the 'noise' of irrelevant
or erroneous alerts that you otherwise must sift through when using a
default rule set.

I wrote a blog post back in March about finding and disabling rules by
Microsoft patch/bulletin IDs that are present in the rules.  This may help
you or give you some ideas on how to proceed with your own tuning efforts.

http://pmelson.blogspot.com/2007/03/when-it-comes-to-tuning-ids-and.html


PaulM





More information about the Snort-users mailing list