[Snort-users] Fine tuning Snort

James Lay jlay at ...13475...
Fri Oct 8 09:55:56 EDT 2010


Thanks Josh..I will give that a go.

James

>  On 10/7/2010 2:02 PM, James Lay wrote:
>> Kevin and Waldo, you gents are treasures
I will get to work and report
>> my results
thank you much!
>>
>> james
>>
>> From: Kevin Ross <kevross33 at ...14012...
>> <mailto:kevross33 at ...14012...>>
>> Date: Thu, 7 Oct 2010 17:55:43 +0100
>> To: James Lay <jlay at ...13475...
>> <mailto:jlay at ...13475...>>, Snort
>> <snort-users at lists.sourceforge.net
>> <mailto:snort-users at lists.sourceforge.net>>
>> Subject: Re: [Snort-users] Fine tuning Snort
>>
>> Well what you can do is:
>>
>> - Use threshold.conf to supress alerts entirely from certain sources
>> or destinations and limit the amount of alerts it will fire too. Read
>> the examples in threshold.conf and put them in your enviroment. If
>> there is specific sources and destinations you can filter this way
>>
>> - Use oinkmaster or pulled pork to disable and enable rules from VRT
>> and emergingthreats.net <http://emergingthreats.net> that you need.
>> Just start by not including rules files for things you do not have and
>> then go through the rules files taking down the sids to disable and
>> then have oinkmaster or pulled pork scheduled by cron to run an update.
>>
>
> I have a small tool written in Perl called Pigsty that will automate
> finding any sigs in your enabled ruleset that match a pattern. The tool
> will output a list of disablesid lines that you can then drop into your
> oinkmaster.conf file or have the tool directly append the file. This
> makes cleaning up your current rules much easier. You could probably
> modify the oinkmaster perl script to run Pigsty just after the latests
> sigs are downloaded and before the routine for commenting out disabled
> sids completes.
>
> Find it at http://zombietango.com/blog/tools/
>
> ZT
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>






More information about the Snort-users mailing list