[Snort-users] how can improve detection of attack by snort 3
Joel Esler (jesler)
jesler at cisco.com
Wed May 30 12:50:19 EDT 2018
Why don't you use the registered rule set for 3.0 to test with?
On May 30, 2018, at 6:07 AM, bz Os via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>> wrote:
hello evry one
i am using snort 3 as ids i loaded snort3 comunity rules and i uncommented all commented rules and i loaded this rules in the configuration file ,when i run snort 3957
rules are loaded .
i run snort against a part on darpa dataset but as results i had only 3 detection ( "(http_Inspect)header line terminated by LF without a CR " and "(arp_spoof) unicast arp request " and "(ipv4)packet from reserved source address " in other hand i runed suricata against the same pcap file as rusults suricata detected a lot of attack ,
how can i add emerging threat to detect more attack by snort 3 or is there a method for improve the detection
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users