[Snort-users] Filtering the Snort Rule Set for Firewall Blocks

Frank Knobbe frank at ...9761...
Sat Aug 29 17:05:49 EDT 2009

On Fri, 2009-08-28 at 13:54 -0700, CunningPike wrote:
> We ran our sensor for quite a while before we started using snortsam
> so we could get a feel for which rules would be good block candidates
> - I would advise you to do the same.
> The Emerging Threats project (http://www.emergingthreats.net/) has a
> couple of block rulesets that block known RBN hosts and so forth -
> they might be a good start for snortsam, but be aware that they are
> IP-based rules and can be quite processor intensive. You might find
> the IP blacklist beta code for snort of more interest in this area.

I never understood why IP based rules are required to block with
Snortsam. If you know bad IP's already, block'em! Don't wait for the

Even written rules ready for Snortsam (fwsam option) should be reviewed.
As CP said, run rules for a while and see if the create false positives.
For example, 'content:"Useragent: Morfeus F Scanner"' has a 0 change of
false positives, so it's safe to configure that with autoblock.
'content:"setup.php"' on the other hand may false occasionally, so it's
probably not a good candidate. It really depends on the signature
itself, your environment (only servers, or also users browsing out that
can create alerts that may trigger, what type of servers, etc), and what
level of risk in regards to false positives you want to take.

I myself am cautious, so I only have a couple dozen sigs on auto-block.
Our IDS console allows us to block when we determine it's a real attack.
Your mileage may vary of course. IDS in general is not a
configure-and-forget sorta thing, so don't assume you can just configure
tons of sigs to auto-block and let is run unattended :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090829/6de58465/attachment.sig>

More information about the Snort-users mailing list