Home page logo
/

snort logo Snort mailing list archives

Re: Fine tuning Snort
From: Josh Little <josh () zombietango com>
Date: Fri, 08 Oct 2010 09:08:53 -0400

 On 10/7/2010 2:02 PM, James Lay wrote:
Kevin and Waldo, you gents are treasures…I will get to work and report
my results…thank you much!

james

From: Kevin Ross <kevross33 () googlemail com
<mailto:kevross33 () googlemail com>>
Date: Thu, 7 Oct 2010 17:55:43 +0100
To: James Lay <jlay () slave-tothe-box net
<mailto:jlay () slave-tothe-box net>>, Snort
<snort-users () lists sourceforge net
<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] Fine tuning Snort

Well what you can do is:

- Use threshold.conf to supress alerts entirely from certain sources
or destinations and limit the amount of alerts it will fire too. Read
the examples in threshold.conf and put them in your enviroment. If
there is specific sources and destinations you can filter this way

- Use oinkmaster or pulled pork to disable and enable rules from VRT
and emergingthreats.net <http://emergingthreats.net> that you need.
Just start by not including rules files for things you do not have and
then go through the rules files taking down the sids to disable and
then have oinkmaster or pulled pork scheduled by cron to run an update.


I have a small tool written in Perl called Pigsty that will automate
finding any sigs in your enabled ruleset that match a pattern. The tool
will output a list of disablesid lines that you can then drop into your
oinkmaster.conf file or have the tool directly append the file. This
makes cleaning up your current rules much easier. You could probably
modify the oinkmaster perl script to run Pigsty just after the latests
sigs are downloaded and before the routine for commenting out disabled
sids completes.

Find it at http://zombietango.com/blog/tools/

ZT

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]