[Snort-users] Rules and Tuning

Steven Vona savona at ...15736...
Tue Aug 14 16:52:36 EDT 2012


Thanks for the help.  But what I really need is a listing of all the
rules.  We want to go through the whole list and select what we need
enabled and not enabled.  Is this possible?


On Tue, Aug 14, 2012 at 11:48 AM, Tony Robinson <trobinson at ...1935...>wrote:

> To expand on JJ's answer,
>
> This depends on what ruleset you are utilizing, Steve, but at least for
> the VRT ruleset, there are multiple ways for you to obtain more information
> for a given rule. If you have the sid number/message, the actual rule (or
> rule stub in the case of SO rules) will usually have metadata associated
> with the rule -- MS vulnerability IDs, CVE numbers, as well as links to
> websites with more information (e.g. links to bugtraq or MS technet,
> virustotal, etc.)
>
> If you don't want to dig in the .rules files, then, at least for VRT
> rules, snort.org has a rule search page, that, given a SID, can give you
> more information on a given rule
> www.snort.org/search
>
> additionally, the downloads page has a file, opensource.gz that has rule
> documentation available as well.
>
> Hope this helps,
>
> Tony
>
> On Mon, Aug 13, 2012 at 1:42 PM, Steven Vona <savona at ...15736...> wrote:
>
>> Is there someplace I can get a list of rules and what they are looking
>> for?  We are getting a ton of alerts and I would like to fine tunes which
>> rules should be active and which rules should be disabled.  I need more
>> information than just the name of the rule.
>>
>> Thanks,
>> Steve
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
>
>  Tony Robinson
> Security Consultant I
> SourceFIRE Professional Services Division
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120814/21be91de/attachment.html>


More information about the Snort-users mailing list