[Snort-users] Default Rules

Joe Pampel jpampel at ...14829...
Mon Jun 21 09:45:51 EDT 2010


1.       Ideally you should adjust the rulebase to reflect your network. If you are not running Oracle, disable Oracle rules as an example. Someone could throw Oracle attacks at you all day and you really don't care. ;) You  want to limit the number of hits you get to be things you need to care about. There are so many random SSH, ICMP, etc scans that no one could ever follow up on them all.  I use IDS Policy Manager (http://www.activeworx.org/Default.aspx?tabid=55) to track my rules which makes it a lot easier to see what they all are, turn them one and off, etc.

2.       Good way to "test" it out is to tap traffic outside your internet facing router and see all the bad stuff in the wild. Your sensor will get a workout. ;)   Not realistic, but you will see rules fire.

3.       My advice is to download Splunk and have it collect your snort logs (or have snort syslog to splunk). The free version is very cost effective ;) and does not choke on large numbers of entries. It's also helpful to ID patterns in your alert traffic.  For example, I have a person in Poland who SNMP scans me 1 host at a time, 2 packets a day. For the past month. :) I doubt I would have noticed that otherwise with all the other daily excitement.

4.       I would not deploy anything deliberately vulnerable other than a purpose built honeypot.

From: Clue Store [mailto:cluestore at ...11827...]
Sent: Monday, June 21, 2010 9:00 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Default Rules

Hi All,

I'm new to Snort, so take it easy :) I have enabled the portscan preprocessor and am detecting port scans from Nessus and Nmap, but if I disable that preprocessor, i'm not getting much else in the way of intrusions (this could be due to the fact that im only sniffing a small amount of traffic for a few hosts). I also see that alot of the rules are #'d out, so they aren't being used.

1. Should I uncomment out some of these some or all of the rules (for example, I have alot of different SQL servers on my network I want to protect). What about the bad-traffic.rules, etc??? Are these commented out due to too many false positives and noise???
2. What is a good way of testing some of the rules out?? Do I deploy an un-patched server with IIS and SQL for example that have known vulnerabilities?? Honeypots??


The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100621/1f376014/attachment.html>

More information about the Snort-users mailing list