Tuning Snort and flex response
![[mail]](img/envelope.gif){kind=small}
Tuning Snort
Snort can be a very useful tool in any network environment. However it's not enough to just install it and monitor the events. After Snort is installed and operational you will no doubt notice a lot of so called "false positives" - Snort alerts that are set off by a legitimate traffic. You will also notice legitimate events that repeat over and over again, filling up the logs. Example of such event could be FTP brute force attack, when a malicious user is running brute forcing tools such as "hydra" to try and guess FTP accounts and passwords.
With all of this in mind, it is important to tune the Snort installation in order to reduce the noise, or "false positive" to legitimate alert ratio. Here are some steps that you can follow to accomplish the task.
Installing Snort sensor with Mysql and BASE on CentOS Linux
Why Centos?
CentOS is an Enterprise-class Linux Distribution derived from sources freely provided to the public by Redhat. It is basically a free version of Redhat's Enterprise Linux Server, so it's a good choice for stable, easy to install Linux server. Making it a perfect choice for a Snort sensor.
XML Feeds