[Snort-users] which rules to load ?

Jefferson, Shawn Shawn.Jefferson at ...14448...
Wed Aug 29 13:23:58 EDT 2012


Hi,

Personally, I would do either of these approaches to start (using Pulled Pork... nothing else is as good, IMO)

1. Enable ALL the rules OR use "security" or "balanced" configuration to get started (look in the PulledPork docs for an explanation of these).
2. Monitor your system for false positives and remove these via pulledpork.
3. Monitor your system for performance and either use BPFs to exclude traffic, disable poorly performing rules or beef up your equipment.

That's it.  No magic formula, just work.


-----Original Message-----
From: Pratik Narang [mailto:pratik.cse.bits at ...11827...] 
Sent: Wednesday, August 29, 2012 4:08 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] which rules to load ?

Alright this might sound like a total noob question, but I am badly stuck on this-

How is it to be decided that what Snort rules I should enable/uncomment? The purpose is to configure Snort as an IDS to monitor network activity, and alert against the standard set of things an IDS should alert against- buffer overflow attacks, injection attacks, port scans & information leaks to name a few, or in general, the attempts to detect/exploit vulnerabilities, leak data and evade policies.

Is there anyone out there running who is Snort for a commercial environment or at least for a medium sized network? How does one shortlist on the .rules files to be used and the rules (in them) to be enabled ??

Thanks...

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list