[Snort-users] Filtering the Snort Rule Set for Firewall Blocks

CunningPike cunningpike at ...11827...
Fri Aug 28 16:54:56 EDT 2009

We ran our sensor for quite a while before we started using snortsam so we
could get a feel for which rules would be good block candidates - I would
advise you to do the same.

The Emerging Threats project (http://www.emergingthreats.net/) has a couple
of block rulesets that block known RBN hosts and so forth - they might be a
good start for snortsam, but be aware that they are IP-based rules and can
be quite processor intensive. You might find the IP blacklist beta code for
snort of more interest in this area.


On Fri, Aug 28, 2009 at 8:26 AM, James Chase <james at ...8230...>wrote:

> Hi,
> I have recently setup a Snort sensor and am using snortsam with barnyard
> connected to an openBSD firewall to dynamically block IP's that trigger
> subsets of rules in snort.
> My question is what is the best way to sort out a good rule set for our
> environment? Is there a general list of known rules that are always bad
> traffic that people are using, or is it really just watching the IDS
> everyday and adding alerts that appear to be malicious and removing
> those that seem to alert on legitimate traffic? I notice a lot of rules
> have very general triggers, like accessing any page with calendar.php in
> it, and I notice that if the system we have setup were in production
> there would be a lot of good traffic being blocked.
> And is anyone else using a setup with snort adding blocks on the
> firewall, and if so what is your setup like, how long do you block
> traffic for, and how do you mitigate the risk of blocking legitimate
> users for applications where the source IP's are dynamic.
> Thanks for any feedback,
> James
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090828/10a3e004/attachment.html>

More information about the Snort-users mailing list