[Snort-users] which rules to load ?

Peter Bates peter.bates at ...15381...
Wed Aug 29 08:11:58 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 29/08/2012 12:07, Pratik Narang wrote:
> Is there anyone out there running who is Snort for a commercial 
> environment or at least for a medium sized network? How does one 
> shortlist on the .rules files to be used and the rules (in them) to
> be enabled ??

A lot of advice on this topic is best expressed as 'know your network'.
If you have no inbound telnet or ftp then telnet.rules and ftp.rules
are not so much use.

There are currently 3081 VRT rules enabled by default - if you have a
fair amount of RAM I'd suggest running them all and seeing what you get.

I'd then suggest you use Pulledpork to manage your rules and put the
ones that are leading to FPs in disablesid.conf.

When PP logs some new rules, look at them and evaluate whether they
are applicable to your environment, for example, from this morning for me:

- -=BEGIN PULLEDPORK SNORT RULES CHANGELOG, Tracking started on Wed Aug
29 05:45:3
1 2012 GMT=-

- -=Begin Changes Logged for Wed Aug 29 05:45:31 2012 GMT=-

New Rules
        BACKDOOR Trojan.Kryptik.Kazy runtime detection (1:23987)
        BOTNET-CNC Trojan.Dropper connect to server attempt (1:23978)
<snip>
        EXPLOIT HP Data Protector Express stack buffer overflow
attempt (1:23979)

If you know you don't run HP Data Protector, you can just add those
new rules to your disablesid.conf.

The difficulty of course lies in whether you know you run an
application or not. I don't think there's a magic bullet.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQPgcOAAoJELhVoVpEMS6Rl+kIAIIvrhy7qmawyeQVyQSF+Y5u
7/9q+Tr0FCVA8FFglY8jrnLCjCwZkwr1zRZ2jCzXh0EQ3jKDKZ+9lsRncpkimdyp
BDCn9fWR0I+RfJhcuIRWtGnIX1QlvNEEVzWEMB/MsDypSYUhnDgNsUbKmOyJiJ3/
xfnhMeQxtlz93K7ngp2gn9d4az9lHhm91gIUpo6rIbQHc368ONMq8XI9pZTstNA7
sVe1+SMmE2Y617TofRkaeeupRCX5i+vp7oSipw3vuJTHGJNq9ubK8+LFmWKIj+cg
tpux+gNI3T3geSN4TLmA4EYN3G06PbCPua1NXmUlwOQq3oXzmyuH4ZBySFiBZHA=
=pdOu
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list