[Snort-users] Choosing the best rules

James Lay jlay at ...13475...
Mon Feb 24 14:22:39 EST 2014


On Mon, 2014-02-24 at 19:14 +0000, Richard Harman Jr (rharmanj) wrote:
> There's also the policy type in the rule metadata, which can be used
> by PulledPork.  Here's a couple blog posts on the policies, and
> pulledpork.
> 
> 
> http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html
> http://blog.snort.org/2012/01/importance-of-pulledpork.html
> 
> 
> Richard
> 
> 
> From: SnortFan <SnortFan at ...131...>
> Date: Monday, February 24, 2014 at 1:41 PM
> To: Michal Šutta <michal.sutta at ...11827...>
> Cc: "snort-users at lists.sourceforge.net"
> <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Choosing the best rules
> 
> 
> 
> That's a loaded question. What rules you enable should be dependent on
> your environment/network etc...  
> 
> 
> I use pulled pork and use the enablesid.conf and disablesid.conf to
> turn on categories and disable certain rules. It's a constant
> tuning.  Enabling all rules could put a heavy load on snort and flood
> where your storing the results (i.e. Base).  
> 
> 
> Hope that helps,
> Ed
> 
> 
> Sent from a mobile device. 
> 
> 
>         On Feb 24, 2014, at 12:12 PM, Michal Šutta
>         <michal.sutta at ...11827...> wrote:
>         
>         Hello,
>         
>         which rules should be enabled when I want to test Snort ? I
>         downloaded the newest rules snortrules-snapshot-2960.tar.gz
>         but there are only around 4000 rules enabled. Is it a good
>         idea to enable them all ? Is there a quick way to configure
>         security policy usidng pulledpork or oinkmaster ?

What's in your environment?  You running a web server, load up the web
rules.  Running pop3?  Load those up....if you're not, then don't load
them.

James


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140224/06446678/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140224/06446678/attachment.sig>


More information about the Snort-users mailing list