[Snort-users] Rules commented

Y M snort at ...15979...
Fri Dec 21 14:47:03 EST 2012


 inline.Date: Fri, 21 Dec 2012 10:02:53 -0500
From: juan.valencia at ...16028...
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Rules commented

Hi guys,

I have snort integrated with another security product that basically parse the alerts sent by snort and take action over the node. I have been reviewing the snort rules and I have seen that there are a lot of rules commented, after that I have a simple of questions:


What is the reason because there are a lot of rules commented ?, will we have problems if I uncomment all the rules?. First part of the question, is because of two reasons based on my knowledge:1. Every network is different and has its own traffice. Rules must be tuned to match your needs.2. Policy. Snort team has devised a 4-type policy: connectivity, balanced, security, and no policy (no policy defined). You can read more about this and the reasons of hows/whys at the below links: http://blog.snort.org/2012/01/importance-of-pulledpork.htmlhttp://blog.snort.org/2012/03/rule-category-reorganization.html These and the embedded links will give you a good idea. For the second part of the question, I would say yes. Too many unmanagable alerts/rules, alerts that may mean nothing to your environment, and performance issues.    
What is the best way to begin  activate this rules?
PulledPork will be the way to go. Which is also explained in the first link.
Thanks for your advance,

Best regards,

P.D: Maybe this question was resolve long time ago, and I just didn't search correctly.
-- 
JUAN CAMILO VALENCIA VARGAS
Ingeniero de Operaciones
SeguraTec S.A.S Calle 11 # 43B-50 of 307Medelllín Colombia
“Choose a job you love, and you will never have to work a day in your life”


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121221/e3295e03/attachment.html>


More information about the Snort-users mailing list