Snort mailing list archives
Re: Good Snort Signatures
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Wed, 25 Aug 2004 09:35:22 +0100
--On 24 August 2004 15:15 -0400 "Keith W. McCammon" <mccammon () gmail com> wrote:
[snip]
The rules are not "bunk." You have probably failed to tune your sensor(s). Most FPs/FNs are caused by operators who don't do things like disable preprocessor options that don't apply, comment out rules for services that aren't running, set variables appropriately, etc. You can pay tens of thousands for some other IDS, with some other ruleset. If you turn everything on without tuning, you'll have the same result. Throwing money at the problem won't make the problem go away :)
...and what's more, the commercial NIDS I've used (ISS RS, and Cisco SIDS) don't allow you to see what their 'signatures' are even looking for (I think Cisco, at least, were planning on opening it up a bit - but not for signatures matching vulnerabilities that hadn't yet been patched by the respective vendors). Therefore, the only options you have were to disable rules, or limit them to certain IP addresses and ranges.
Because Snort's rules are open, it's possible to refine what they're looking for quite easily.
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ClamAV preprocessor William Metcalf (Aug 23)
- Re: ClamAV preprocessor Jason Haar (Aug 23)
- RE: ClamAV preprocessor Adriel T. Desautels (Aug 23)
- Re: ClamAV preprocessor Victor Julien (Aug 24)
- Re: ClamAV preprocessor Sam Evans (Aug 24)
- Snort-addon Advice requested Clayton Mascarenhas (Aug 24)
- Re: Snort-addon Advice requested Michael McDonough (Aug 24)
- Good Snort Signatures Adriel T. Desautels (Aug 24)
- Re: Good Snort Signatures sekure (Aug 24)
- Re: Good Snort Signatures Keith W. McCammon (Aug 24)
- Re: Good Snort Signatures Alex Butcher, ISC/ISYS (Aug 25)
- Re: Good Snort Signatures James Riden (Aug 24)
- RE: Good Snort Signatures Patrick S. Harper (Aug 24)
- RE: Good Snort Signatures <-- is all in tuning Adriel T. Desautels (Aug 24)
- Re: Good Snort Signatures <-- is all in tuning Keith W. McCammon (Aug 24)
- Re: Good Snort Signatures <-- is all in tuning Alex Butcher, ISC/ISYS (Aug 25)
- RE: Good Snort Signatures <-- is all in tuning Josh Berry (Aug 25)
- Re: ClamAV preprocessor Jason Haar (Aug 23)
- Re: ClamAV preprocessor William Metcalf (Aug 27)