[Snort-users] I have written a Linux shell script to enable all Snort rules which were commented out

waldo kitty wkitty42 at ...14940...
Mon Apr 7 20:54:03 EDT 2014


On 4/7/2014 6:04 PM, Teo En Ming wrote:
> Dear List,
>
> Originally, I had wanted to use Pulled Pork to enable all Snort rules which were
> commented out/disabled. But there is no comprehensive guide/manual on Pulled
> Pork which covers every step. So I thought better and decided to write a very
> simple Linux shell script to un-comment/enable all the Snort rules which were
> commented out/disabled. The source code only consists of a few lines.

the first thing to note is that you do not want /all/ rules enabled... you would 
get so many alerts for traffic that is normal or FP (false positive) for your 
network that you would not be able to see the real threats traversing your 
network...

you have to tune snort for your network traffic... that means that you need to 
know what software is being used and enable only those rules that cover 
vulnerabilities that are known in that software...

tuning is a major item... there is no "one size fits all" glove for any 
network... without tuning, you are fighting a loosing battle...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list