unSpawn |
05-04-2008 06:24 AM |
Quote:
Originally Posted by abefroman
(Post 3141746)
How many alerts a day do you get on snort?
|
Ranging from a few to a few hundred.
Quote:
Originally Posted by abefroman
(Post 3141746)
I know I'm getting way too many and want to optimize, but I don't want to optimize too much. How many alerts/day should I try to get it down to?
|
I think your aim should not be to bring the amount of alerts down (quantity) but what it trips on (quality).
First prune rulesets that you don't need (anything P2P, etc, etc). Log for a while. Then assess which services are exposed to world and should need watching, then gather statistics to see what it trips on. Correlate stats with services and prune rules further (MS-.*, Solaris, Websphere). Then add a BPF filter for services that need watching but are accessed from "trusted" ranges if it trips on that. Log for a while. Search logs for false positives and also see threshold.conf for alert/warn ratios.
|