[Snort-users] Fine tuning Snort

Josh Little josh at ...14998...
Fri Oct 8 09:08:53 EDT 2010

 On 10/7/2010 2:02 PM, James Lay wrote:
> Kevin and Waldo, you gents are treasures…I will get to work and report
> my results…thank you much!
> james
> From: Kevin Ross <kevross33 at ...14012...
> <mailto:kevross33 at ...14012...>>
> Date: Thu, 7 Oct 2010 17:55:43 +0100
> To: James Lay <jlay at ...13475...
> <mailto:jlay at ...13475...>>, Snort
> <snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>>
> Subject: Re: [Snort-users] Fine tuning Snort
> Well what you can do is:
> - Use threshold.conf to supress alerts entirely from certain sources
> or destinations and limit the amount of alerts it will fire too. Read
> the examples in threshold.conf and put them in your enviroment. If
> there is specific sources and destinations you can filter this way
> - Use oinkmaster or pulled pork to disable and enable rules from VRT
> and emergingthreats.net <http://emergingthreats.net> that you need.
> Just start by not including rules files for things you do not have and
> then go through the rules files taking down the sids to disable and
> then have oinkmaster or pulled pork scheduled by cron to run an update.

I have a small tool written in Perl called Pigsty that will automate
finding any sigs in your enabled ruleset that match a pattern. The tool
will output a list of disablesid lines that you can then drop into your
oinkmaster.conf file or have the tool directly append the file. This
makes cleaning up your current rules much easier. You could probably
modify the oinkmaster perl script to run Pigsty just after the latests
sigs are downloaded and before the routine for commenting out disabled
sids completes.

Find it at http://zombietango.com/blog/tools/


More information about the Snort-users mailing list