as you know snort has a lot of signatures that some of them are expired
now.
Do you have any idea to identify and remove the expired signatures? (I
want to
decrease the loading time)
I don't know about expired, but certainly many of them are several years old
and detect attacks that may not affect your environment because of the
systems that aren't present and also the patch levels of the systems that
are.
Evaluating the signatures that affect your environment is something that you
will definitely need to dedicate some time to now and on a regular basis in
the future. I recommend using a tool like Oinkmaster or Activeworx IDS
Policy Manager to aid you in managing your signature set. It's the hardest
part of maintaining NIDS, but also the most valuable. It not only helps
with sensor performance, but it also helps reduce the 'noise' of irrelevant
or erroneous alerts that you otherwise must sift through when using a
default rule set.
I wrote a blog post back in March about finding and disabling rules by
Microsoft patch/bulletin IDs that are present in the rules. This may help
you or give you some ideas on how to proceed with your own tuning efforts.
http://pmelson.blogspot.com/2007/03/when-it-comes-to-tuning-ids-and.html
PaulM
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
