O'Reilly logo

Managing Security with Snort & IDS Tools by Christopher Gerg, Kerry J. Cox

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Initial Configuration and Tuning

Spending some time pruning the rules and features that Snort uses pays dividends. Your decisions in this phase of tuning have the potential to make your life as an administrator much easier. Be careful, though. Mistakes at this point have serious consequences. There are some easy, low-risk things you can do, however. The suggestions below provide a place to start and will help address the majority of the sources of false positives. As an administrator is able to establish a baseline for what is "normal" for the way their network is used, further tuning and customization is possible. It should be mentioned that when you make changes to the snort.conf file or the rules, you must stop the Snort process and restart it for the changes to take effect.

Tailoring the Decoder and Preprocessors

Anyone who watches a network with a connection to the Internet will tell you that the volume of port-scanning traffic, worm-related attempted exploits, and scripted attacks against arbitrary ranges of addresses is constantly increasing. A Snort sensor watching this traffic generates many alerts—particularly the portscan components. While the alerts generated as a result of this traffic might be an indicator of the initial phazes of an attack, the usefulness of these alerts is questionable given their volume. Tracking down the source may be difficult, too—particularly if the system is located in another country. Sometimes the source is a worm-infected workstation sitting ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required