Refining the Ruleset

Tuning and trimming the Snort ruleset has the greatest impact on Snort's performance and the number of false positives. If you can apply your knowledge of your network infrastructure and IDS policy to the ruleset, you will undoubtedly have a high-performance IDS on your hands, capable of dealing with all but the heaviest of loads. To understand how to correctly organize and trim the ruleset, you should have a basic understanding of how Snort processes rules.

As alluded to briefly in Chapter 3, Snort rules are made up of two components: the Rule Header and Rule Option, as shown in Figure 10.3.

Figure 10.3. Snort Rule Header and Rule Option.

The Rule Header defines the type of alert and which protocols, IP addresses, and IP ...

Get Intrusion Detection with Snort now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.