[unisog] Usage of Snort at your Site

Stefan Lueders Stefan.Lueders at cern.ch
Thu Jun 11 11:06:36 GMT 2009

Hello !
We are currently looking into streamlining our Snort rules and deploying additional rules from the two sources VRT and Emerging
Threats. We have started with classifying their rule sets according to our needs, since it turned out that the classification scheme
coming with the rules is rather ad-hoc and not very helpful. We've come up with three custom classes: "compromised", "attack" and
"policy violation".
However, even if we were able to classify the rule sets into our classes, many rule sets contain only a few "interesting" rules
among several hundred of useless ones. The useless ones, even if they might provide important information, give thousands of false
positives due to legitimate traffic. Again, the inherent VRT/ET classification scheme does not allow for properly identifying them,
and we're stuck with how to identify those "interesting" rules.
Finally, many rules sets are inhomogeneous in the sense that they contain both "easy" rules testing just two bytes and "complex"
rules with dedicated regex. In our environment, the "easy" rules produce (too) many false positives: e.g. in order to detect Emule
usage only two bytes are tested and we see that these rule often trigger on encrypted Skype traffic which resembles those two bytes
every now and then. Unfortunately, there is no proper metric to distinguish between "easy" and "complex" ones.
 * Have you deployed Snort ?
 * Which rules (rules sets) do your use ?
 * How did you select these rules ?
 * Do you have your own classification scheme ?
I am looking forward for an interesting discussion :-)
Yours S>>L

---------- European Organization for Nuclear Research ----------
Dr. Stefan Lüders         
CERN Computer Security Team               Office +41 22 767 4841
Building 31, Room 2-001, PostBox F20710   Mobile +41 76 487 0207
CH-1211 Geneva 23                         Fax    +41 22 766 9703

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2689 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20090611/25425a97/attachment.bin 

More information about the unisog mailing list