Refining the Ruleset
Tuning and trimming the Snort ruleset has the greatest impact on Snort's performance and the number of false positives. If you can apply your knowledge of your network infrastructure and IDS policy to the ruleset, you will undoubtedly have a high-performance IDS on your hands, capable of dealing with all but the heaviest of loads. To understand how to correctly organize and trim the ruleset, you should have a basic understanding of how Snort processes rules.
As alluded to briefly in Chapter 3, Snort rules are made up of two components: the Rule Header and Rule Option, as shown in Figure 10.3.
Figure 10.3. Snort Rule Header and Rule Option.
The Rule Header defines the type of alert and which protocols, IP addresses, and IP ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
