[Snort-users] how to acquire best setting of snort rules?

Kevin Ross kevross33 at ...14012...
Mon Apr 18 10:13:11 EDT 2011


woops wrong list posted too.

On 18 April 2011 15:12, Kevin Ross <kevross33 at ...14012...> wrote:

> have a look at pulledpork to manage your rules. disable what you don't
> have/need and then have it run to download new rules. Generally the more
> unecessary stuff you tune out the better as you will be wasting time on
> alerts which don't matter and false positives. Also if you enabled them all
> you will get lots of alerts which are false positives so you need to tune
> for your network. Generally (if using pulled pork where it puts all rules
> into a snort.rules file)
>
> 1) disable entire rulesets you do not need for things you have (i.e if you
> don't have oracle put oracle.rules to be disabled)
> 2) The hard bit, ideally you will go through all rules and disable/enable
> what you do and don't need. i.e GID:SID (1 for normal rules, 3 for shared
> object) and then sid (it is at the end of the rule, you will see a value of
> sid:XXXXXX; so it would become
> 1:2008315,3:15695,3:16231,1:16055,3:13570,3:16228 etc
> 3) Tune FPs for enabled rules (threshold.conf etc)
>
> While there is more you can do if you do this you will have much better
> performance. Also if you have your sensor inline I would recommend not
> dropping anything at first until you determine what your performance is like
> (try using performance preprocessors too). This may help you too:
>
> http://vrt-blog.snort.org/2010/01/vrt-guide-to-ids-ruleset-tuning.html
> http://www.snort.org/assets/163/WhitePaper_Snort_PerformanceTuning_2009.pdf
>
> Kev
>
> On 16 April 2011 14:34, M.Turner Turner <msbzag at ...11827...> wrote:
>
>> Hi
>>
>> how to acquire best setting of snort rules?
>>
>> can i change the action of all rules to reject, to achive the best
>> security?
>>
>> can i enable all rules , to achive the best security?
>>
>> thanks
>>
>> ------------------------------------------------------------------------------
>> Benefiting from Server Virtualization: Beyond Initial Workload
>> Consolidation -- Increasing the use of server virtualization is a top
>> priority.Virtualization can reduce costs, simplify management, and improve
>> application availability and disaster protection. Learn more about
>> boosting
>> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110418/196c5881/attachment.html>


More information about the Snort-users mailing list