[Snort-users] Help tuning snort for performance.

Alex Kirk akirk at ...1935...
Thu Feb 11 12:25:11 EST 2010


Ahhh, OK, so you're an MSSP of some sort then.

The reality you face at this point, of course, is that dropping packets like
you are means that you're going to be missing a lot of attacks anyway.
Realizing that you can't tune the rules yourself, it's probably a good idea
for you to tell the end user that they need to either spend some time doing
it themselves or allow you to do some tuning, because by looking for attacks
that they're not vulnerable to (which will happen with a poorly tuned
ruleset), they're going to miss things that can actually hit them.

On Thu, Feb 11, 2010 at 12:12 PM, Andy Berryman <aberryman at ...14758...>wrote:

>  Well, the issue with that is, the end user is the one responsible for
> turning on/off rules. We leave it to them to turn them on or off b/c if I
> turn one off and they get attacked and there was no event recorded, I'm the
> one on the hook. So, we place the responsibility on them to turn on or off
> the rules. We will go through and turn off major false positives that we
> see, like the bare-byte unicode alerts.  So, with that being said, it's
> probably a poorly tuned rule set.
>
>
>
> Does that make any sense? I know to me, it's a catch-22.
>
>
>
> Thanks,
>
> Andy
>
>
>
> *From:* Alex Kirk [mailto:akirk at ...1935...]
> *Sent:* Thursday, February 11, 2010 11:05 AM
> *To:* Andy Berryman
>
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Help tuning snort for performance.
>
>
>
> I'm not the best-qualified to speak to the issue of frag tuning, but given
> such a high dropped-packet rate, I figured I would raise another possibility
> that I can discuss intelligently: how well-tuned is your rule set? If you've
> got a whole bunch of unnecessary rules, turning them off could make the rest
> of your tuning needs basically moot.
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> --
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...1935...
>  ------------------------------
>  This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  ------------------------------
>
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100211/25ebc3c6/attachment.html>


More information about the Snort-users mailing list