[Snort-users] Reliability of signatures
wkitty42 at ...14940...
Fri Feb 4 20:02:25 EST 2011
On 2/4/2011 14:03, beenph wrote:
> All the changes to a submission system will still be context relevant
> and might not apply to you and you will
> end up having people who will not try to understand what they actually
> see but will basicly rely on that
> to apply automatic rules tunning and the problem will still be there
> for the "unknown" proportion of people
> who do no take time to tune and manage their rule set.
i can agree almost 100% on this paragraph... my tool and environment require
tuning for the network being protected... even if one doesn't use my tool, they
must tune snort's rules for their network or else they will be quite overrun by
alerts that are not problematic for their network...
i had the chance to work (from remote) on a system over in norway the other
week... their snort was quite overloaded with "too many small tcp packets"
alerts... it didn't take me long to discover that they have several cisco
products in their setup... is also didn't take me long to discover that they
have a lot of snmp traffic even though they are not using much/any of it... they
may not even know that it is available or they may simply not have the tools to
utilize the information in that snmp traffic...
anyway, once i thresholded several snort rules and completely disabled other
extremely talkative ones, it was much easier to see things on their network that
were of interest and indicating possible problems... the sad part of this tale
is that i've been working with them for over a year and describing the necessity
and method of tuning but this was the first time that i had a chance to actively
enter their system and do it myself... it was quite satisfying to get things
cleaned up enough for them to actually start assisting in the protection of
their network rather than them spending so much time wading thru cr4p alerts and
basically giving up because of being overwhelmed...
More information about the Snort-users