The number of alerts depends on a million things (okay, well, maybe not a
million, but. several.)
How many rules you have turned on
Placement of sensor
amount of traffic
vulnerability of network
number of possibly compromised machines
bad programs
bad operating systems
untuned sensor
number of web servers
...
...
...
Start off by turning off rules that don't apply to you (ex. don't run pop3
servers? turn off pop3 rules), turn off rules that you don't care about (snmp,
icmp, etc..) tune your http_inspect preprocessor, ftp_telnet preprocessor,
smtp preprocessor, frag3.. etc..etc...
That should give you a start.
Joel
On Fri, Aug 25, 2006 at 09:03:03AM -0500, Patrick S. Harper apparently sent me:
You have to turn you snort.conf and your rules to weed these out. Setting
it up is the easy part, tuning is the hard part.
-----Original Message-----
From: snort-users-bounces@lists.sourceforge.net
[mailto:snort-users-bounces@lists.sourceforge.net] On Behalf Of Denis
Sacchet
Sent: Friday, August 25, 2006 8:32 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Rate of alert
Hello everybody,
I wonder if 60 unique alerts (for about 10000 alerts) is normal for a
snort configuration. Moreover, those alerts seems to not correspond
every time, and I adjust my rules to filter for example vulnerability on
IMAP server type, but my IMAP server is not of this type, IIS attack
onto apache web server, etc ...
Perhaps something is wrong in the configuration used.
Thanks for your point of view and your input about the number of alert
and the type;
Best regards
Denis Sacchet
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
+---------------------------------------------------------------------+
joel esler senior security consultant 1-706-627-2101
Sourcefire Security for the /Real/ World -- http://www.sourcefire.com
Snort - Open Source Network IPS/IDS -- http://www.snort.org
gpg key: http://demo.sourcefire.com/jesler.pgp.key
aim:eslerjoel ymsg:eslerjoel gtalk:eslerj
+---------------------------------------------------------------------+
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
