[Snort-users] Fine tuning Snort

James Lay jlay at ...13475...
Thu Oct 7 14:02:41 EDT 2010

Kevin and Waldo, you gents are treasuresŠI will get to work and report my
resultsŠthank you much!


From:  Kevin Ross <kevross33 at ...14012...>
Date:  Thu, 7 Oct 2010 17:55:43 +0100
To:  James Lay <jlay at ...13475...>, Snort
<snort-users at lists.sourceforge.net>
Subject:  Re: [Snort-users] Fine tuning Snort

Well what you can do is:

- Use threshold.conf to supress alerts entirely from certain sources or
destinations and limit the amount of alerts it will fire too. Read the
examples in threshold.conf and put them in your enviroment. If there is
specific sources and destinations you can filter this way

- Use oinkmaster or pulled pork to disable and enable rules from VRT and
emergingthreats.net <http://emergingthreats.net>  that you need. Just start
by not including rules files for things you do not have and then go through
the rules files taking down the sids to disable and then have oinkmaster or
pulled pork scheduled by cron to run an update.

also, the shellcode sigs aren't very reliable as they are extremely FP
prone. Emergingthreats is rules you want to use as well, purely because of
the IP lists (russian business network, botnet control servers & compromised
hosts) and malware sigs (a lot of research into that). Vulnerability wise
the ET rules more complement the VRT rules (personally I get more hits off
the ET rules but that is purely because a lot of malware is out there so you
pick up infected clients trying to reach control servers and so on). A
targeted attack it may be the VRT rules that do the actual detection so best
cover threats to your enviroment, vulnerabilities and such but I think
malware is a threat to everybody. Though on a side note emergingthreats is
releasing a full ruleset which has all the normal rules but also has a paid
part which provides coverage for all vulnerabilities and you choose what is
important http://www.emergingthreatspro.com/ though that coverage is paid
but the emergingthreatspro stuff is completely free and worth a look as we
do try and compliment the VRT rulesets with mostly malware but some
vulnerabilities and things, though it is more amatuers rather than
professionals and only now is the rules getting performance checked,
improved etc by the pro part of the setup to improve the quality of the

Really a choice based on your needs but a well tuned environment covering
everything that effects you is a good approach.

Hope this helps, Kevin

On 7 October 2010 17:26, James Lay <jlay at ...13475...> wrote:
> Hello All.
> So I'm needing to fine tune snort a bit.  I get a high amount of FP's on
> things like:
> Emails with .jpg's:
> [1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable
> Code was Detected]
> exe downloads from Windows Updates:
> [1:15306:4] WEB-CLIENT Portable Executable binary file transfer
> [1:2000419:12] ET POLICY PE EXE or DLL Windows file download
> I'd rather not just comment out these rules....what are other folks doing
> to minimize FP's?  Thank you.
> James
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101007/c6e8a413/attachment.html>

More information about the Snort-users mailing list