[Snort-users] Default Snort Rules

Joel Esler jesler at ...1935...
Mon Feb 25 16:42:08 EST 2013

On Feb 25, 2013, at 4:07 PM, Document Retention <document.retention at ...13610...7...> wrote:
> Greetings,
> How does Sourcefire decide what snort rules are enabled/disabled?  

This answer is going to be extremely long winded, so prepare thyself.

If it is a current exploit in the wild, and/or has good performance (fast content match), Low false positive rate, It's important, or current malware/exploit kit, It goes in the default policy (which is balanced).
If it may not be current (current but not in the wild), or *might* have bad performance, or could introduce false positives, it'll go into security
If it will have false positives, or is slow, we put it in no policies by default.

> Also,  why are some of the rules packaged but never added to snort.conf ?

Are you sure you are using a current snort.conf?

> Is there a methodology you apply?

Yes, but right now, it's up to the person who reviews the rule and puts it into the ruleset.  We are working on a project right now that will make the criteria of these policies extremely clear.  

Right now, there are essentially 7 states a rule can be in at any one time.

Connectivity over Security -> alert/drop (2)
Balanced -> alert/drop (2)
Security over Connectivity -> alert/drop (2)
Off -> 1

= 7 states.

When we get a hard and fast set of instructions about which rules will be in what policies (and there are always exceptions) we are going to be publishing a blog post http://blog.snort.org here.  Right now we are collecting numbers and seeing where those numbers should be by testing performance and false positive/true positive rate in test systems.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130225/86c71828/attachment.html>

More information about the Snort-users mailing list