[Snort-users] Choosing the best rules

Richard Harman Jr (rharmanj) rharmanj at ...589...
Mon Feb 24 14:14:43 EST 2014


There's also the policy type in the rule metadata, which can be used by PulledPork.  Here's a couple blog posts on the policies, and pulledpork.

http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html
http://blog.snort.org/2012/01/importance-of-pulledpork.html

Richard

From: SnortFan <SnortFan at ...131...<mailto:SnortFan at ...131...>>
Date: Monday, February 24, 2014 at 1:41 PM
To: Michal Šutta <michal.sutta at ...11827...<mailto:michal.sutta at ...14542....>>
Cc: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: Re: [Snort-users] Choosing the best rules

That's a loaded question. What rules you enable should be dependent on your environment/network etc...

I use pulled pork and use the enablesid.conf and disablesid.conf to turn on categories and disable certain rules. It's a constant tuning.  Enabling all rules could put a heavy load on snort and flood where your storing the results (i.e. Base).

Hope that helps,
Ed

Sent from a mobile device.

On Feb 24, 2014, at 12:12 PM, Michal Šutta <michal.sutta at ...11827...<mailto:michal.sutta at ...11827...>> wrote:
Hello,
which rules should be enabled when I want to test Snort ? I downloaded the newest rules snortrules-snapshot-2960.tar.gz but there are only around 4000 rules enabled. Is it a good idea to enable them all ? Is there a quick way to configure security policy usidng pulledpork or oinkmaster ?
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140224/45b78c7e/attachment.html>


More information about the Snort-users mailing list