One thing that needs attention when keeping Snort tuned is updating the configuration variables in snort.conf when changes are made to the network. I recently noticed an alert was firing on legitimate DNS traffic because a new mail server was not in $SMTP_SERVERS. It's easy enough to add the IP to the SMTP_SERVERS variable.
In some cases, you may want that variable to hold other ones. For instance, a big company like GE might have many different sites or logical networks. It may be useful to separate the SMTP servers logically in the Snort.conf if the sensor is going to see the traffic from more than one site:
var EAST_COAST_TV_SMTP [192.168.1.1, 192.168.1.2]Note that you need the EAST_COAST_TV_SMTP and MICROWAVE_PROGRAMMING_SMTP variables set before they are used in the SMTP_SERVERS variable.
var MICROWAVE_PROGRAMMING_SMTP [192.168.2.1,192.168.2.2]
var SMTP_SERVERS [$EAST_COAST_TV_SMTP,$MICROWAVE_PROGRAMMING_SMTP]