[Snort-sigs] Re snort plus Ossetia

Don M. djmurd at ...1841...
Wed Feb 17 07:38:24 EST 2016

On the question of top snort itd's... General decision making is a thought process tuned to your org. For me, personally, I'd do something like this:

First, make decisions and enable rules that represent your environment.
Second, look for any rules that relate to outbound command and control.
Third, there are rules that detect remote code execution payloads.
Fourth, there are a few uDP based single packet kills.
Fifth, I block ICMP at the border, so those rules inbound would never trigger (I hope....).
Sixth,I would want syn + ack packets for 3389, 22, 23, exiting my server network because that indicates the start of a system responding to remote access (fin+ ask would be the natural end, normally)..rule is directional.

Hopefully you get the idea here. I am sure that some would change the order, or emphasize one topic for another, ...but the point is that intrusion detection works better when you establish priorities and know your environment.

More information about the Snort-sigs mailing list