[Snort-users] how can improve detection of attack by snort 3

bz Os ossamabzos at gmail.com
Wed May 30 13:17:13 EDT 2018


Thanks Joël esler for reply i am using snort comunity rules the rules used
by snort 3 ,i dont understand jour reply can you explain plz


Le mer. 30 mai 2018 4:50 PM, Joel Esler (jesler) <jesler at cisco.com> a
écrit :

> Why don't you use the registered rule set for 3.0 to test with?
>
>
>
> On May 30, 2018, at 6:07 AM, bz Os via Snort-users <
> snort-users at lists.snort.org> wrote:
>
> hello evry one
>    i am using snort 3 as ids i loaded snort3 comunity rules and i
> uncommented all commented rules and i loaded this rules in the
> configuration file ,when i run snort  3957
> rules are loaded .
>    i run snort against a part on darpa dataset but as results i had only 3
> detection (  "(http_Inspect)header line terminated by LF without a CR "
> and  "(arp_spoof) unicast arp request " and "(ipv4)packet from reserved
> source address " in other hand  i runed suricata against the same pcap
> file as rusults suricata detected a lot of attack ,
>
>    how can i add emerging threat to detect more attack by snort 3 or is
> there a method for improve the detection
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180530/2b62e7fd/attachment.html>


More information about the Snort-users mailing list