[Snort-users] Filtering the Snort Rule Set for Firewall Blocks
james at ...8230...
Fri Aug 28 11:26:41 EDT 2009
I have recently setup a Snort sensor and am using snortsam with barnyard
connected to an openBSD firewall to dynamically block IP's that trigger
subsets of rules in snort.
My question is what is the best way to sort out a good rule set for our
environment? Is there a general list of known rules that are always bad
traffic that people are using, or is it really just watching the IDS
everyday and adding alerts that appear to be malicious and removing
those that seem to alert on legitimate traffic? I notice a lot of rules
have very general triggers, like accessing any page with calendar.php in
it, and I notice that if the system we have setup were in production
there would be a lot of good traffic being blocked.
And is anyone else using a setup with snort adding blocks on the
firewall, and if so what is your setup like, how long do you block
traffic for, and how do you mitigate the risk of blocking legitimate
users for applications where the source IP's are dynamic.
Thanks for any feedback,
More information about the Snort-users