[Snort-users] Re: Newbie - Rules updates, multiple interfaces, etc.

Richard Bejtlich richard_bejtlich at ...131...
Mon May 10 07:58:01 EDT 2004

Mark G. Spencer wrote:

I'm running Snort on two machines, one Win98 and
another WinXP Professional.

how can I enable *all* Snort rules?  I got an answer
(or answers) back that you wouldn't want to do this,
you should tune your rules for the platforms Snort is
running in front of. This doesn't make sense to me
from a security perspective - who's to say through an
intrusion, other IT guys, or the curious guy in
engineering that new services will appear on your
network you hadn't planned on?  If you have the
processing power, wouldn't you want Snort utilizing
the full ruleset?



The short answer is to look in your snort.conf and
uncomment the rule include statements near the end of
the file, e.g.:

# include $RULE_PATH/web-attacks.rules

The long answer is to consider what you hope to learn
with Snort.  Every Snort alert is an indicator that
must be analyzed, validated, and potentially escalated
to a decision maker.  If you're not collecting the
session and full content data needed to properly
analyze an event, you're more likely to generate
alerts which you must ignore for lack of supporting

There is some value in enabling rules for services
which are not presumed to exist.  For example, a shop
running only Apache might leave IIS rules enabled to
catch rogue IIS servers.  Shops with more robust
change management and configuration control  disable
rules for services they know don't apply to their

Snort is powerful because users can customize it.  I
recommend trying a variety of rule combinations and
seeing what works for you.  I also recommend replacing
your Windows 98 system with an OS in the NT family, if
you must run Snort on Windows at all.  A security
application like Snort does not belong on a
consumer-minded desktop OS.



Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  

More information about the Snort-users mailing list