[Snort-users] tailoring rules on internal versus external networks

Erik Fichtner emf at ...367...
Tue Aug 10 08:12:01 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Aug 10, 2004 at 02:27:52PM -0000, Tom Wentworth wrote:
> I have been tasked with tailoring rulesets on a large collection of sensors (more than a hundred).  I need to come up with a  baseline set of rules for sensors on both internal and external (internet exposed) segments.  Has anyone come up with baseline rulesets for these two very general situations?  I have some ideas about which rules I think are appropriate, but could really benefit from someone else's experience.  Any links or advice greatly appreciated.
> 

You might want to use m4 and a sensor(-type) specific configuration file (ifdef's)
so you can generate the config automatically based on local decisions.  No two 
sensors are ever alike.  

Unless you're doing false positive reduction at a central location, and you
happen to be really good at that already.

- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFBGOV6Q7EzrewLMS0RAlSpAKCoQ3+snnFKgSofO+IUzrDS67J//ACdGe37
pIklGuZoc5QGpu6b5r1Q6Zg=
=ZQ1P
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list