[Snort-users] Default Rules
cluestore at ...11827...
Mon Jun 21 09:57:46 EDT 2010
I do understand that I should disable all rules that I know I wont have any
services for. The policy manager looks very cool and I will check it out as
this will probably help me with managing rules.
I have a rather small environment (~30 servers), so with the policy manager,
I should be able to turn on most rules and turn them off as I need to.
Thanks for the info,
On Mon, Jun 21, 2010 at 8:45 AM, Joe Pampel <jpampel at ...14829...> wrote:
> 1. Ideally you should adjust the rulebase to reflect your network.
> If you are not running Oracle, disable Oracle rules as an example. Someone
> could throw Oracle attacks at you all day and you really don’t care. ;) You
> want to limit the number of hits you get to be things you need to care
> about. There are so many random SSH, ICMP, etc scans that no one could ever
> follow up on them all. I use IDS Policy Manager (
> http://www.activeworx.org/Default.aspx?tabid=55) to track my rules which
> makes it a lot easier to see what they all are, turn them one and off, etc.
> 2. Good way to “test” it out is to tap traffic outside your internet
> facing router and see all the bad stuff in the wild. Your sensor will get a
> workout. ;) Not realistic, but you will see rules fire.
> 3. My advice is to download Splunk and have it collect your snort
> logs (or have snort syslog to splunk). The free version is very cost
> effective ;) and does not choke on large numbers of entries. It’s also
> helpful to ID patterns in your alert traffic. For example, I have a person
> in Poland who SNMP scans me 1 host at a time, 2 packets a day. For the past
> month. J I doubt I would have noticed that otherwise with all the other
> daily excitement.
> 4. I would not deploy anything deliberately vulnerable other than a
> purpose built honeypot.
> *From:* Clue Store [mailto:cluestore at ...11827...]
> *Sent:* Monday, June 21, 2010 9:00 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Default Rules
> Hi All,
> I’m new to Snort, so take it easy :) I have enabled the portscan
> preprocessor and am detecting port scans from Nessus and Nmap, but if I
> disable that preprocessor, i’m not getting much else in the way of
> intrusions (this could be due to the fact that im only sniffing a small
> amount of traffic for a few hosts). I also see that alot of the rules are
> #‘d out, so they aren’t being used.
> 1. Should I uncomment out some of these some or all of the rules (for
> example, I have alot of different SQL servers on my network I want to
> protect). What about the bad-traffic.rules, etc??? Are these commented out
> due to too many false positives and noise???
> 2. What is a good way of testing some of the rules out?? Do I deploy an
> un-patched server with IIS and SQL for example that have known
> vulnerabilities?? Honeypots??
> The information contained in this correspondence is intended solely for the
> person or entity entitled to receive the confidential and/or privileged
> material that it may contain. Any review, retransmission, dissemination or
> other use of, or taking of any action in reliance upon, the information in
> this correspondence (including any attachments) by anyone other than the
> intended recipient is strictly prohibited. If you believe that you may not
> be the intended recipient, please destroy and/or delete this correspondence
> and the attachment(s).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users