[Snort-users] Performance and rule tuning

Todd Wease twease at ...1935...
Thu Dec 4 14:22:30 EST 2008


Hi Shawn,

FTP preprocessor alerts are under gid 125.  For preprocessor and decoder
gids/sids, take a look at etc/gen-msg.map in the snort souce tree.

Todd


Jefferson, Shawn wrote:
> Hi,
>
> I've read through the README and I still have a question.. what should the gen_id of "ftp_pp: FTP command channel encrypted" be?  125 or 1 ?
>
> My suppress rule looks like:
>
> suppress gen_id 125, sig_id 7
>
> Thanks,
> Shawn
>
> -----Original Message-----
> From: Joel Esler [mailto:eslerj at ...11827...]
> Sent: December 03, 2008 1:34 PM
> To: Jefferson, Shawn
> Cc: Snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Performance and rule tuning
>
>
> On Dec 3, 2008, at 2:57 PM, Jefferson, Shawn wrote:
>
>   
>> One more question about rule tuning:
>>
>> I am getting some false positives from the ftp pre-processor.  How
>> do I suppress these without disabling the pre-processor altogether?
>>     
>
> Threshold and Suppression commands.  Take a look at the
> README.threshold in the doc/ directory of your Snort tarball, also
> take a look at the threshold.conf file in the etc/ directory of your
> Snort tarball.  You will see many examples on how to configure
> Threshold and Suppression, in order to tune your system.
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>   





More information about the Snort-users mailing list