[Snort-sigs] What are the most important rules?

McCammon, Keith Keith.McCammon at ...647...
Thu Aug 1 11:54:29 EDT 2002

What's important depends on your network.  To me, ICMP isn't important, because I filter it ten ways from Sunday.  HTTP, on the other hand, is of critical importance.

In general, if you're getting so many FP's that you can't effectively use the system, you haven't properly tuned your rules.  Write pass rules for known FP's, and only enable rules files for services that are running.  You can write simple catch-all rules for errant traffic.  And BPF out the hard-core garbage, and spare pcap the trouble of passing it all.

> -----Original Message-----
> From: bfledderjohn at ...722...
> [mailto:bfledderjohn at ...722...]
> Sent: Thursday, August 01, 2002 2:16 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] What are the most important rules?
> Out of all the rules that are available, what rules and 
> alerts would you
> pay extreme close attention to?  I have tons of false alerts and am
> spending so much time determining priorities of alerts that 
> are popping up.
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list