Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Events and User Groups » Seattle Snort Users Group 7/11/06 7:00 PM @SSCC room tba

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Seattle Snort Users Group 7/11/06 7:00 PM @SSCC room tba


Posted by jimmythegeek on June 29, 2006 18:09:32

ANNOUNCING:

The seventh meeting of Seattle Snort Users Group

(SeaSnUG)


Seventh Meeting: July 11, 2006 at 7:00 PM

Location: South Seattle Community College, room TBA


Attractions:

*nix trivia and schwag raffle

Presentation

Presentation Topic: Snort Rule Clinic

James Affeld (me) will present a clinic on writing Snort rules for detection and performance, with a heavy reliance on the 80-20 principle (where 80% of the value is in 20% of the features).

This will not be a dry recitation of what's already in the excellent Snort manual, nor an exposition of Snort arcana. My intent will be to cover the most generally useful features, the areas easiest to make mistakes, and some things that should be in the manual but aren't. In short, what I think you need to write good Snort rules for the typical IT shop (if there is such a thing). I'll also try to cover in sufficient detail that you'll be able to parse rules written by other people and understand what they are looking for.

To anchor the rule lore in brain space, we'll also take a poorly constructed rule and improve it until it's efficient and accurate. Time permitting, we'll deconstruct/interpret one of the hairiest rules in the Snort distribution.

This presentation will not cover the new rule options available with the release of Snort 2.6. That may be covered in a future presentation.

About the speaker (me): James Affeld has been using Snort for about 5 years. He obtained the GIAC GCIA (GIAC Certified Intusion Analyst) Gold certification in August 2003, and taught the Local Mentor edition of the SANS IDS class in the summer of 2005 (broadly comparable to being a TA for an upper division class).

The room we usually use will be closed for building renovation. I'll send a follow-up with the new location.



RSVP at http://www.snort.org/registrations/rsvp.html
SeaSnUG mailing list



Regional Map and Directions: http://southseattle.edu/ campus/map.htm

Metro Transit Route 125: http://transit.metrokc.gov/tops/bus/schedules/s125_0_.html

Metro Transit Route 128: http://transit.metrokc.gov/tops/bus/schedules/s128_0_.html



Campus Map: http://southseattle.edu/campus /campmap.htm



Contact: jamesaffeld@yahoo.com
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.