[Snort-users] Reliability of signatures

waldo kitty wkitty42 at ...14940...
Fri Feb 4 20:02:25 EST 2011


On 2/4/2011 14:03, beenph wrote:
> All the changes to a submission system will still be context relevant
> and might not apply to you and you will
> end up having people who will not try to understand what they actually
> see but will basicly rely on that
> to apply automatic rules tunning and the problem will still be there
> for the "unknown" proportion of people
> who do no take time to tune and manage their rule set.

i can agree almost 100% on this paragraph... my tool and environment require 
tuning for the network being protected... even if one doesn't use my tool, they 
must tune snort's rules for their network or else they will be quite overrun by 
alerts that are not problematic for their network...

i had the chance to work (from remote) on a system over in norway the other 
week... their snort was quite overloaded with "too many small tcp packets" 
alerts... it didn't take me long to discover that they have several cisco 
products in their setup... is also didn't take me long to discover that they 
have a lot of snmp traffic even though they are not using much/any of it... they 
may not even know that it is available or they may simply not have the tools to 
utilize the information in that snmp traffic...

anyway, once i thresholded several snort rules and completely disabled other 
extremely talkative ones, it was much easier to see things on their network that 
were of interest and indicating possible problems... the sad part of this tale 
is that i've been working with them for over a year and describing the necessity 
and method of tuning but this was the first time that i had a chance to actively 
enter their system and do it myself... it was quite satisfying to get things 
cleaned up enough for them to actually start assisting in the protection of 
their network rather than them spending so much time wading thru cr4p alerts and 
basically giving up because of being overwhelmed...




More information about the Snort-users mailing list