[Snort-users] Choosing the best rules

SnortFan SnortFan at ...131...
Mon Feb 24 13:41:20 EST 2014


That's a loaded question. What rules you enable should be dependent on your environment/network etc...  

I use pulled pork and use the enablesid.conf and disablesid.conf to turn on categories and disable certain rules. It's a constant tuning.  Enabling all rules could put a heavy load on snort and flood where your storing the results (i.e. Base).  

Hope that helps,
Ed

Sent from a mobile device. 

> On Feb 24, 2014, at 12:12 PM, Michal Šutta <michal.sutta at ...11827...> wrote:
> 
> Hello,
> 
> which rules should be enabled when I want to test Snort ? I downloaded the newest rules snortrules-snapshot-2960.tar.gz but there are only around 4000 rules enabled. Is it a good idea to enable them all ? Is there a quick way to configure security policy usidng pulledpork or oinkmaster ?
> ------------------------------------------------------------------------------
> Flow-based real-time traffic analytics software. Cisco certified tool.
> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
> Customize your own dashboards, set traffic alerts and generate reports.
> Network behavioral analysis & security monitoring. All-in-one tool.
> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list