[Snort-users] How to decide which rules should be enabled.

Tony Robinson trobinson at ...1935...
Wed Jul 18 09:53:04 EDT 2012

Realized I made some typos on my example rule.

it should be alert icmp any any any any (message:"[your message]";
sid:[your sid number]; rev:[rev. number];)

- there should be four any statements in the rule header, message argument
is usually in quotes, and each argument in the rule body must have a
semicolon after it.

... guess my coffee hasn't kicked in yet.



On Wed, Jul 18, 2012 at 9:40 AM, Tony Robinson <trobinson at ...1935...>wrote:

> Hi there,
> The question around rulesets is one that is very easy to ask, and
> exceptionally difficult to answer. It really requires knowing your network
> and enabling rules for things that concern you. that is going to differ
> from place to place and snort deployment to snort deployment. One person
> may be concerned about p2p traffic, or rules that violate corporate policy,
> while another may be concerned about botnet CNC rules.
> Something that may help you build a good rule baseline is the program
> pulled pork. (link to the readme:
> http://code.google.com/p/pulledpork/source/browse/trunk/README?r=225) The
> program will pull down the latest available rules from snort.org and
> allows you to easily build a ruleset based off three base policies:
> Connectivity over Security, Balanced, and Security over Connectivity. From
> there you can pare down a rule-heavy ruleset, or bulk up one of the smaller
> rulesets to meet your needs.
> Another recommendation I can make is signing up to the SANS @risk
> newsletter. Every Thursday, SANS puts out a newsletter of the top exploits
> and malware seen out in the wild, with the help of our very own VRT
> (Vulnerability Research Team). Under each vulnerability is an associated
> snort SID (or in some cases, multiple SIDs), and an associated ClamAV
> signature for detecting the exploit or malware. Best of all, this is a free
> resource.
> While these aren't definitive answers to your question, they are a very
> good start to building a good rule set.
> In regards to your question for testing snort, there are many ways of
> doing that. Snort has a built-in -T parameter you can use to test the
> snort.conf file and ensure that everything is "sane" and that snort will at
> least start up.
> In terms of testing whether or not snort is actively sniffing traffic off
> the wire, a good trick is to create a file called local.rules, include it
> in your snort.conf file and create a simple rule such as:
> alert icmp any any any (message:[your message here] sid:1000000; rev:1;)
> and trying pinging something your snort sensor has visibility on. If you
> get alerts, it is a good sign that snort is working. This is usually a
> setup step specified in some of the snort install guides on snort.org.
> Hope this helps,
> -Tony
> On Wed, Jul 18, 2012 at 3:47 AM, Bravo Snipper <snipperbravo at ...131...>wrote:
>> Hi
>> After snort installation now how can we decide that which rules should be
>> enabled or we should enable all the rules given by snort. Can any one
>> please share some  tutorial regarding this aspect of snort configuration.
>> Plus can any one name some standard set of tools to  test snorts setup.
>> regards.
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
> --
>  Tony Robinson
> Security Consultant I
> SourceFIRE Professional Services Division


 Tony Robinson
Security Consultant I
SourceFIRE Professional Services Division
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120718/1a9e59f3/attachment.html>

More information about the Snort-users mailing list