[SASAG] Seattle Snort User Group meets Tuesday, July 11 7:00 PM @ SSCC room tba
jamesaffeld at yahoo.com
Thu Jun 29 18:44:31 PDT 2006
Presentation Topic: Snort Rule Clinic
James Affeld (me) will present a clinic on writing
Snort rules for detection and performance, with a
heavy reliance on the 80-20 principle (where 80% of
the value is in 20% of the features).
This will not be a dry recitation of what's already in
the excellent Snort manual, nor an exposition of Snort
arcana. My intent will be to cover the most generally
useful features, the areas easiest to make mistakes,
and some things that should be in the manual but
aren't. In short, what I think you need to write good
Snort rules for the typical IT shop (if there is such
a thing). I'll also try to cover in sufficient detail
that you'll be able to parse rules written by other
people and understand what they are looking for.
To anchor the rule lore in brain space, we'll also
take a poorly constructed rule and improve it until
it's efficient and accurate. Time permitting, we'll
deconstruct/interpret one of the hairiest rules in the
This presentation will not cover the new rule options
available with the release of Snort 2.6. That may be
covered in a future presentation.
About the speaker (me): James Affeld has been using
Snort for about 5 years. He obtained the GIAC GCIA
(GIAC Certified Intusion Analyst) Gold certification
in August 2003, and taught the Local Mentor edition of
the SANS IDS class in the summer of 2005 (broadly
comparable to being a TA for an upper division class).
The room we usually use will be closed for building
renovation. I'll send a follow-up with the new
RSVP at http://www.snort.org/registrations/rsvp.html
The SeaSnUG mailing list is at:
Regional Map and Directions: http://southseattle.edu/
Metro Transit Route 125:
Metro Transit Route 128:
Contact: jamesaffeld at yahoo.com
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
More information about the Members