Thanks nebulus,

You are both absolutely right. I work with security on a daily basis, and I know that computer related security issues are not of the static kind. But, till now my work has been related to working with firewalls and commercial IDS products. I haven't had to worry about how the rules work, and why they work. At least not down to the core. I know a little bit about data packets, icmp, how to use a sniffer, and how to analyze packets (as long as I know what I am looking for). But, when I look in the snort log files I get scared. They are growing fast and furious, and I really do not feel up to try to analyze all the data that's in there.

I have been subscribing the CERT mailing lists for quite some time, and sometimes I even have the energy to read what's in them too. :-)

I took your advice and started to remove rules that are not that important. Rules that fill up the log files with false positives. The # works.

It looks like the rules in Snort are divided up in several priorities that are related to the seriousness of the logged data. (Which of course can be wrong..)

For example:
# config classification:shortname,short description,priority
config classification: icmp-event,Generic ICMP event,3

And it looks like most of the priority 3 rules gathers data that are not important, and I have already commented most of them out of the rule files.

After doing a: grep "Priority: 3" alert | wc -l
I ended up with about 1820 priority 3 alerts of a total 2140.. The alert file is a couple of days old..

I do run a web server, but I guess I do not need to include the rule files that are related to IIS, FrontPage or Cold fusion, since I do not run either of them.

Point taken, thanks.

I guess my goal now will be to try to understand how the rules are built up and how they work, and hopefully I will be able to modify existing rules or write my own.

Thank you for taking your time to answer me. I have a feeling that I will get back to you all with questions that are a bit more challenging.

Ole S.
Oslo/Norway