The room will be our usual one after all; the remodel
has been rescheduled.
--- James Affeld <jamesaffeld@yahoo.com> wrote:
Presentation Topic: Snort Rule Clinic
James Affeld (me) will present a clinic on writing
Snort rules for detection and performance, with a
heavy reliance on the 80-20 principle (where 80% of
the value is in 20% of the features).
This will not be a dry recitation of what's already
in
the excellent Snort manual, nor an exposition of
Snort
arcana. My intent will be to cover the most
generally
useful features, the areas easiest to make mistakes,
and some things that should be in the manual but
aren't. In short, what I think you need to write
good
Snort rules for the typical IT shop (if there is
such
a thing). I'll also try to cover in sufficient
detail
that you'll be able to parse rules written by other
people and understand what they are looking for.
To anchor the rule lore in brain space, we'll also
take a poorly constructed rule and improve it until
it's efficient and accurate. Time permitting, we'll
deconstruct/interpret one of the hairiest rules in
the
Snort distribution.
This presentation will not cover the new rule
options
available with the release of Snort 2.6. That may
be
covered in a future presentation.
About the speaker (me): James Affeld has been using
Snort for about 5 years. He obtained the GIAC GCIA
(GIAC Certified Intusion Analyst) Gold certification
in August 2003, and taught the Local Mentor edition
of
the SANS IDS class in the summer of 2005 (broadly
comparable to being a TA for an upper division
class).
Seasnug website:
http://blowfish.southseattle.edu/SeaSnUG/
RSVP at http://www.snort.org/registrations/rsvp.html
The SeaSnUG mailing list is at:
https://lists.snort.org/mailman/listinfo/seattlesug
Regional Map and Directions:
http://southseattle.edu/
campus/map.htm
Metro Transit Route 125:
http://transit.metrokc.gov/tops/bus/schedules/s125_0_.html
Metro Transit Route 128:
http://transit.metrokc.gov/tops/bus/schedules/s128_0_.html
Campus Map:
http://southseattle.edu/campus/campmap.htm
Contact: jamesaffeld@yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
