[SASAG] Seattle Snort User Group meets Tomorrow - Tuesday, July 11 7:00 PM @ SSCC room TEC129
James Affeld
jamesaffeld at yahoo.com
Mon Jul 10 15:39:14 PDT 2006
The room will be our usual one after all; the remodel
has been rescheduled.
--- James Affeld <jamesaffeld at yahoo.com> wrote:
> Presentation Topic: Snort Rule Clinic
> James Affeld (me) will present a clinic on writing
> Snort rules for detection and performance, with a
> heavy reliance on the 80-20 principle (where 80% of
> the value is in 20% of the features).
>
> This will not be a dry recitation of what's already
> in
> the excellent Snort manual, nor an exposition of
> Snort
> arcana. My intent will be to cover the most
> generally
> useful features, the areas easiest to make mistakes,
> and some things that should be in the manual but
> aren't. In short, what I think you need to write
> good
> Snort rules for the typical IT shop (if there is
> such
> a thing). I'll also try to cover in sufficient
> detail
> that you'll be able to parse rules written by other
> people and understand what they are looking for.
>
> To anchor the rule lore in brain space, we'll also
> take a poorly constructed rule and improve it until
> it's efficient and accurate. Time permitting, we'll
> deconstruct/interpret one of the hairiest rules in
> the
> Snort distribution.
>
> This presentation will not cover the new rule
> options
> available with the release of Snort 2.6. That may
> be
> covered in a future presentation.
>
> About the speaker (me): James Affeld has been using
> Snort for about 5 years. He obtained the GIAC GCIA
> (GIAC Certified Intusion Analyst) Gold certification
> in August 2003, and taught the Local Mentor edition
> of
> the SANS IDS class in the summer of 2005 (broadly
> comparable to being a TA for an upper division
> class).
>
> Seasnug website:
> http://blowfish.southseattle.edu/SeaSnUG/
>
> RSVP at http://www.snort.org/registrations/rsvp.html
>
> The SeaSnUG mailing list is at:
> https://lists.snort.org/mailman/listinfo/seattlesug
>
> Regional Map and Directions:
> http://southseattle.edu/
> campus/map.htm
>
> Metro Transit Route 125:
>
http://transit.metrokc.gov/tops/bus/schedules/s125_0_.html
>
> Metro Transit Route 128:
>
http://transit.metrokc.gov/tops/bus/schedules/s128_0_.html
>
> Campus Map:
> http://southseattle.edu/campus/campmap.htm
>
> Contact: jamesaffeld at yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Members
mailing list