[Snort-users] Default Rules
cluestore at ...11827...
Mon Jun 21 08:59:53 EDT 2010
I’m new to Snort, so take it easy :) I have enabled the portscan
preprocessor and am detecting port scans from Nessus and Nmap, but if I
disable that preprocessor, i’m not getting much else in the way of
intrusions (this could be due to the fact that im only sniffing a small
amount of traffic for a few hosts). I also see that alot of the rules are
#‘d out, so they aren’t being used.
1. Should I uncomment out some of these some or all of the rules (for
example, I have alot of different SQL servers on my network I want to
protect). What about the bad-traffic.rules, etc??? Are these commented out
due to too many false positives and noise???
2. What is a good way of testing some of the rules out?? Do I deploy an
un-patched server with IIS and SQL for example that have known
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users