Home page logo
/

snort logo Snort mailing list archives

Re: Fine tuning Snort
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 07 Oct 2010 12:02:41 -0600

Kevin and Waldo, you gents are treasuresĀŠI will get to work and report my
resultsĀŠthank you much!

james

From:  Kevin Ross <kevross33 () googlemail com>
Date:  Thu, 7 Oct 2010 17:55:43 +0100
To:  James Lay <jlay () slave-tothe-box net>, Snort
<snort-users () lists sourceforge net>
Subject:  Re: [Snort-users] Fine tuning Snort

Well what you can do is:

- Use threshold.conf to supress alerts entirely from certain sources or
destinations and limit the amount of alerts it will fire too. Read the
examples in threshold.conf and put them in your enviroment. If there is
specific sources and destinations you can filter this way

- Use oinkmaster or pulled pork to disable and enable rules from VRT and
emergingthreats.net <http://emergingthreats.net>  that you need. Just start
by not including rules files for things you do not have and then go through
the rules files taking down the sids to disable and then have oinkmaster or
pulled pork scheduled by cron to run an update.

also, the shellcode sigs aren't very reliable as they are extremely FP
prone. Emergingthreats is rules you want to use as well, purely because of
the IP lists (russian business network, botnet control servers & compromised
hosts) and malware sigs (a lot of research into that). Vulnerability wise
the ET rules more complement the VRT rules (personally I get more hits off
the ET rules but that is purely because a lot of malware is out there so you
pick up infected clients trying to reach control servers and so on). A
targeted attack it may be the VRT rules that do the actual detection so best
cover threats to your enviroment, vulnerabilities and such but I think
malware is a threat to everybody. Though on a side note emergingthreats is
releasing a full ruleset which has all the normal rules but also has a paid
part which provides coverage for all vulnerabilities and you choose what is
important http://www.emergingthreatspro.com/ though that coverage is paid
but the emergingthreatspro stuff is completely free and worth a look as we
do try and compliment the VRT rulesets with mostly malware but some
vulnerabilities and things, though it is more amatuers rather than
professionals and only now is the rules getting performance checked,
improved etc by the pro part of the setup to improve the quality of the
ruleset.

Really a choice based on your needs but a well tuned environment covering
everything that effects you is a good approach.

Hope this helps, Kevin

On 7 October 2010 17:26, James Lay <jlay () slave-tothe-box net> wrote:
Hello All.

So I'm needing to fine tune snort a bit.  I get a high amount of FP's on
things like:

Emails with .jpg's:
[1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable
Code was Detected]

exe downloads from Windows Updates:
[1:15306:4] WEB-CLIENT Portable Executable binary file transfer
[1:2000419:12] ET POLICY PE EXE or DLL Windows file download

I'd rather not just comment out these rules....what are other folks doing
to minimize FP's?  Thank you.

James



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault