Refining the Ruleset
Tuning and trimming the Snort ruleset has the greatest impact on Snort's performance and the number of false positives. If you can apply your knowledge of your network infrastructure and IDS policy to the ruleset, you will undoubtedly have a high-performance IDS on your hands, capable of dealing with all but the heaviest of loads. To understand how to correctly organize and trim the ruleset, you should have a basic understanding of how Snort processes rules.
Figure 10.3. Snort Rule Header and Rule Option.
The Rule Header defines the type of alert and which protocols, IP addresses, and IP ...