[Snort-users] Default Rules

Clue Store cluestore at ...11827...
Mon Jun 21 08:59:53 EDT 2010

Hi All,

I’m new to Snort, so take it easy :) I have enabled the portscan
preprocessor and am detecting port scans from Nessus and Nmap, but if I
disable that preprocessor, i’m not getting much else in the way of
intrusions (this could be due to the fact that im only sniffing a small
amount of traffic for a few hosts). I also see that alot of the rules are
#‘d out, so they aren’t being used.

1. Should I uncomment out some of these some or all of the rules (for
example, I have alot of different SQL servers on my network I want to
protect). What about the bad-traffic.rules, etc??? Are these commented out
due to too many false positives and noise???
2. What is a good way of testing some of the rules out?? Do I deploy an
un-patched server with IIS and SQL for example that have known
vulnerabilities?? Honeypots??

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100621/f20d61c8/attachment.html>

More information about the Snort-users mailing list