Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] Snort Basica Help on tuning signatures

from [Basselgia, Barry A Mr (NAF Atsugi)] Network Security [Permanent Link]
Subject: RE: [Snort-users] Snort Basica Help on tuning signatures
Date: Tue, 1 Feb 2005 08:53:06 +0900 
Another way to tune the signatures is to use the threshold.conf file.  If
you want to keep the rule active, but are getting "False Positives" from/to
a specific IP Address you suppress/limit the alerts.  Here is an example.

I have a few machines that run SNMP, I get a lot of hits on these machines
from the SNMP rules.  If I turn the rules off, and someone else tries to
exploit an SNMP vulnerability I wont detect it.  However, if I use the
threshold.conf file and suppress the alerts from the systems I know should
be running SNMP, I'll still get alerts if someone tries an SNMP attach/scan
on my network.

The threshold.conf file has comments in it that do a good job of telling you
how this works.

Barry


-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net]On Behalf Of
adamk@computer.org
Sent: Monday, January 31, 2005 4:34 PM
To: 'sEc nErD'; Snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] Snort Basica Help on tuning signatures


There are a few ways to do it, the easiest is one of the following:
1. You can disable groups of rules in snort.conf by commenting out (#) the
relevant line -
Ex: include $RULE_PATH/nntp.rules -> #include $RULE_PATH/nntp.rules
- OR -
2. You can comment out specific rules located in the rules directory, i.e.
if you're running IIS and want to disable WebDAV rules, comment out the
relevant WebDAV signatures.

Keep in mind that defining variables in your snort.conf file is an effective
method of tuning the policy.

Good luck
~ adam

 

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of sEc nErD
Sent: Sunday, January 30, 2005 12:46 PM
To: Snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort Basica Help on tuning signatures


hi all
Could anybone walk me through of how to go about tuning the snort signatures
,like how i could disable and enable them thanks


        
                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: [Snort-users] Snort Basica Help on tuning signatures, Basselgia, Barry A Mr (NAF Atsugi) <=
Previous by Date:  Re: [Snort-users] JPGraph problem in ACID and SNORTREPORT., Alejandro Flores
Next by Date:  Re: [Snort-users] Snort support for Cisco ISL?, John Duksta
Previous by Thread:  [Snort-users] Snort support for Cisco ISL?, John Duksta
Indexes:  [Date] [Thread] [Top] [All Lists]