[Snort-users] Rules

Joel Esler jesler at ...1935...
Tue Mar 27 11:55:25 EDT 2012


On Mar 26, 2012, at 9:20 PM, Amit B <amn0p at ...14399...> wrote:
> I am using Snort 2.9.2 and pulledpork to pull latest paid subscription rulesets. I am just curious with preprocessor and decorder alerts disabled I was wondering how many rulesets are actually active to alert me on security events. Pulledpork gives following stats
> 
> Rule Stats....
>        New:-------134
>        Deleted:---3
>        Enabled Rules:----2803
>        Dropped Rules:----0
>        Disabled Rules:---9571
>        Total Rules:------12374
>        Done
> I am guessing  2803 rules are actually enabled (rules and so rules combined). Please correct me if I am wrong. 

You are correct.

> So does Snort enable only priority rules and disables rules that were written to catch old/older attacks/issues/risks? Just wondering how Snort priorities signatures in its every release. Are these signatures enough to catch most common anomalies or issues, is the number comparable to what other vendors release?

We have three "Default" policies that we adhere to.  "Connectivity over Security", "Balanced", and "Security over Connectivity".

Balanced is our default.  "Security over Connectivity" turns on a lot more rules, etc.  We decide what rules go into what policy by:
Possible false positive rate
Performance
Importance of the traffic
Threat, etc.

These standards will change a bit this year as a results of the reorganization of the ruleset, but currently, that's what it is.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



More information about the Snort-users mailing list