[Snort-users] Default Rules

Clue Store cluestore at ...11827...
Mon Jun 21 09:57:46 EDT 2010


Hi Joe,

I do understand that I should disable all rules that I know I wont have any
services for. The policy manager looks very cool and I will check it out as
this will probably help me with managing rules.

I have a rather small environment (~30 servers), so with the policy manager,
I should be able to turn on most rules and turn them off as I need to.

Thanks for the info,
Max

On Mon, Jun 21, 2010 at 8:45 AM, Joe Pampel <jpampel at ...14829...> wrote:

>  Jm2c:
>
>
>
> 1.       Ideally you should adjust the rulebase to reflect your network.
> If you are not running Oracle, disable Oracle rules as an example. Someone
> could throw Oracle attacks at you all day and you really don’t care. ;) You
>  want to limit the number of hits you get to be things you need to care
> about. There are so many random SSH, ICMP, etc scans that no one could ever
> follow up on them all.  I use IDS Policy Manager (
> http://www.activeworx.org/Default.aspx?tabid=55) to track my rules which
> makes it a lot easier to see what they all are, turn them one and off, etc.
>
>
> 2.       Good way to “test” it out is to tap traffic outside your internet
> facing router and see all the bad stuff in the wild. Your sensor will get a
> workout. ;)   Not realistic, but you will see rules fire.
>
> 3.       My advice is to download Splunk and have it collect your snort
> logs (or have snort syslog to splunk). The free version is very cost
> effective ;) and does not choke on large numbers of entries. It’s also
> helpful to ID patterns in your alert traffic.  For example, I have a person
> in Poland who SNMP scans me 1 host at a time, 2 packets a day. For the past
> month. J I doubt I would have noticed that otherwise with all the other
> daily excitement.
>
> 4.       I would not deploy anything deliberately vulnerable other than a
> purpose built honeypot.
>
>
>
>
>
> *From:* Clue Store [mailto:cluestore at ...11827...]
> *Sent:* Monday, June 21, 2010 9:00 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Default Rules
>
>
>
> Hi All,
>
> I’m new to Snort, so take it easy :) I have enabled the portscan
> preprocessor and am detecting port scans from Nessus and Nmap, but if I
> disable that preprocessor, i’m not getting much else in the way of
> intrusions (this could be due to the fact that im only sniffing a small
> amount of traffic for a few hosts). I also see that alot of the rules are
> #‘d out, so they aren’t being used.
>
> 1. Should I uncomment out some of these some or all of the rules (for
> example, I have alot of different SQL servers on my network I want to
> protect). What about the bad-traffic.rules, etc??? Are these commented out
> due to too many false positives and noise???
>
> 2. What is a good way of testing some of the rules out?? Do I deploy an
> un-patched server with IIS and SQL for example that have known
> vulnerabilities?? Honeypots??
>
>
>
> Thanks,
>
> Max
>
> ------------------------------
> The information contained in this correspondence is intended solely for the
> person or entity entitled to receive the confidential and/or privileged
> material that it may contain. Any review, retransmission, dissemination or
> other use of, or taking of any action in reliance upon, the information in
> this correspondence (including any attachments) by anyone other than the
> intended recipient is strictly prohibited. If you believe that you may not
> be the intended recipient, please destroy and/or delete this correspondence
> and the attachment(s).
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100621/e9c821f2/attachment.html>


More information about the Snort-users mailing list