[Snort-users] Performance and rule tuning
Shawn.Jefferson at ...14448...
Thu Dec 4 13:57:33 EST 2008
I've read through the README and I still have a question.. what should the gen_id of "ftp_pp: FTP command channel encrypted" be? 125 or 1 ?
My suppress rule looks like:
suppress gen_id 125, sig_id 7
From: Joel Esler [mailto:eslerj at ...11827...]
Sent: December 03, 2008 1:34 PM
To: Jefferson, Shawn
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Performance and rule tuning
On Dec 3, 2008, at 2:57 PM, Jefferson, Shawn wrote:
> One more question about rule tuning:
> I am getting some false positives from the ftp pre-processor. How
> do I suppress these without disabling the pre-processor altogether?
Threshold and Suppression commands. Take a look at the
README.threshold in the doc/ directory of your Snort tarball, also
take a look at the threshold.conf file in the etc/ directory of your
Snort tarball. You will see many examples on how to configure
Threshold and Suppression, in order to tune your system.
More information about the Snort-users