[Snort-users] Default Snort Rules
jesler at ...1935...
Mon Feb 25 16:42:08 EST 2013
On Feb 25, 2013, at 4:07 PM, Document Retention <document.retention at ...13610...7...> wrote:
> How does Sourcefire decide what snort rules are enabled/disabled?
This answer is going to be extremely long winded, so prepare thyself.
If it is a current exploit in the wild, and/or has good performance (fast content match), Low false positive rate, It's important, or current malware/exploit kit, It goes in the default policy (which is balanced).
If it may not be current (current but not in the wild), or *might* have bad performance, or could introduce false positives, it'll go into security
If it will have false positives, or is slow, we put it in no policies by default.
> Also, why are some of the rules packaged but never added to snort.conf ?
Are you sure you are using a current snort.conf?
> Is there a methodology you apply?
Yes, but right now, it's up to the person who reviews the rule and puts it into the ruleset. We are working on a project right now that will make the criteria of these policies extremely clear.
Right now, there are essentially 7 states a rule can be in at any one time.
Connectivity over Security -> alert/drop (2)
Balanced -> alert/drop (2)
Security over Connectivity -> alert/drop (2)
Off -> 1
= 7 states.
When we get a hard and fast set of instructions about which rules will be in what policies (and there are always exceptions) we are going to be publishing a blog post http://blog.snort.org here. Right now we are collecting numbers and seeing where those numbers should be by testing performance and false positive/true positive rate in test systems.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users