[Snort-users] which rules to load ?
peter.bates at ...15381...
Wed Aug 29 08:11:58 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 29/08/2012 12:07, Pratik Narang wrote:
> Is there anyone out there running who is Snort for a commercial
> environment or at least for a medium sized network? How does one
> shortlist on the .rules files to be used and the rules (in them) to
> be enabled ??
A lot of advice on this topic is best expressed as 'know your network'.
If you have no inbound telnet or ftp then telnet.rules and ftp.rules
are not so much use.
There are currently 3081 VRT rules enabled by default - if you have a
fair amount of RAM I'd suggest running them all and seeing what you get.
I'd then suggest you use Pulledpork to manage your rules and put the
ones that are leading to FPs in disablesid.conf.
When PP logs some new rules, look at them and evaluate whether they
are applicable to your environment, for example, from this morning for me:
- -=BEGIN PULLEDPORK SNORT RULES CHANGELOG, Tracking started on Wed Aug
1 2012 GMT=-
- -=Begin Changes Logged for Wed Aug 29 05:45:31 2012 GMT=-
BACKDOOR Trojan.Kryptik.Kazy runtime detection (1:23987)
BOTNET-CNC Trojan.Dropper connect to server attempt (1:23978)
EXPLOIT HP Data Protector Express stack buffer overflow
If you know you don't run HP Data Protector, you can just add those
new rules to your disablesid.conf.
The difficulty of course lies in whether you know you run an
application or not. I don't think there's a magic bullet.
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Snort-users