[Snort-users] Fine tuning Snort

waldo kitty wkitty42 at ...14940...
Thu Oct 7 12:56:09 EDT 2010


On 10/7/2010 12:26, James Lay wrote:
> Hello All.
>
> So I'm needing to fine tune snort a bit.  I get a high amount of FP's on
> things like:
>
> Emails with .jpg's:
> [1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable
> Code was Detected]
>
> exe downloads from Windows Updates:
> [1:15306:4] WEB-CLIENT Portable Executable binary file transfer
> [1:2000419:12] ET POLICY PE EXE or DLL Windows file download
>
> I'd rather not just comment out these rules....what are other folks doing
> to minimize FP's?  Thank you.

use the threshold file, luke... use the threshold file ;)

here's a working *sample* threshold.conf...

# this file is used to set threshold levels on or to
# completely suppress a gid:sid without modifying the
# actual rules themselves.
# see README.filter for details
#
# DNS Spoof stuff from google's public dns servers
suppress gen_id 1, sig_id 254, track by_src, ip 8.8.4.4
suppress gen_id 1, sig_id 254, track by_src, ip 8.8.8.8

# Consecutive TCP small segments exceeding threshold
# from irc.oftc.net systems - ping, are you there?
suppress gen_id 129, sig_id 12, track by_src, ip 12.31.165.82
suppress gen_id 129, sig_id 12, track by_src, ip 64.62.190.36
suppress gen_id 129, sig_id 12, track by_src, ip 66.184.117.12
suppress gen_id 129, sig_id 12, track by_src, ip 72.32.146.136
suppress gen_id 129, sig_id 12, track by_src, ip 140.211.166.64
suppress gen_id 129, sig_id 12, track by_src, ip 206.12.19.242
suppress gen_id 129, sig_id 12, track by_src, ip 207.192.72.99

# Suppress http_inspect LONG HEADER
suppress gen_id 119, sig_id 19

# Suppress TCP Timestamp is outside of PAWS window
suppress gen_id 129, sig_id 3

# Suppress TCP Timestamp is outside of PAWS window
suppress gen_id 129, sig_id 4

# Suppress Bad segment, adjusted size <= 0
suppress gen_id 129, sig_id 5

# Suppress Limit on number of overlapping TCP packets reached
suppress gen_id 129, sig_id 7

# Suppress Consecutive TCP small segments exceeding threshold
suppress gen_id 129, sig_id 12

# Suppress SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4

# Suppress SENSITIVE-DATA Email Addresses
suppress gen_id 138, sig_id 5

# Suppress SENSITIVE-DATA SDF_COMBO_ALERT
suppress gen_id 139, sig_id 1





More information about the Snort-users mailing list