[Snort-users] Default rule set

Sallee, Jake Jake.Sallee at ...15646...
Fri May 16 13:01:26 EDT 2014

Hello All:

Does anyone have a recommendation for a default rule set?  I am tuning my snort instances and the information I am finding seems to be that I need to try to keep my rules under 7k.  The default ET rule set is ~15k if I am not mistaken, so I am looking for a good starting point.

If anyone could share any wisdom about disabling whole ranges and/or categories I would very much appreciate it, also if anyone has a standard list of entries to put in my disablesid.conf as a good starting point I would be very grateful.

If it helps, I work for a small private university with a sizeable resident population of students that I am essentially an ISP for and also have the standard office/corporate environment for my faculty/staff users too.  Oh, and I have a full BYOD network on both the student and faculty/staff networks ... so, yeah ... I don't sleep at night.

Thank you in advance for any assistance you may be able offer.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas

Fone: 254-295-4658
Phax: 254-295-4221

More information about the Snort-users mailing list