O'Reilly logo

Intrusion Detection with Snort by Jack Koziol

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Refining the Ruleset

Tuning and trimming the Snort ruleset has the greatest impact on Snort's performance and the number of false positives. If you can apply your knowledge of your network infrastructure and IDS policy to the ruleset, you will undoubtedly have a high-performance IDS on your hands, capable of dealing with all but the heaviest of loads. To understand how to correctly organize and trim the ruleset, you should have a basic understanding of how Snort processes rules.

As alluded to briefly in Chapter 3, Snort rules are made up of two components: the Rule Header and Rule Option, as shown in Figure 10.3.

Figure 10.3. Snort Rule Header and Rule Option.

The Rule Header defines the type of alert and which protocols, IP addresses, and IP ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required