[Snort-users] tailoring rules on internal versus external networks
emf at ...367...
Tue Aug 10 08:12:01 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Aug 10, 2004 at 02:27:52PM -0000, Tom Wentworth wrote:
> I have been tasked with tailoring rulesets on a large collection of sensors (more than a hundred). I need to come up with a baseline set of rules for sensors on both internal and external (internet exposed) segments. Has anyone come up with baseline rulesets for these two very general situations? I have some ideas about which rules I think are appropriate, but could really benefit from someone else's experience. Any links or advice greatly appreciated.
You might want to use m4 and a sensor(-type) specific configuration file (ifdef's)
so you can generate the config automatically based on local decisions. No two
sensors are ever alike.
Unless you're doing false positive reduction at a central location, and you
happen to be really good at that already.
Principal Engineer, Information Security, ServerVault Corp.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
-----END PGP SIGNATURE-----
More information about the Snort-users