[Snort-users] Default rule set

James Lay jlay at ...13475...
Fri May 16 13:14:31 EDT 2014


On 2014-05-16 11:01, Sallee, Jake wrote:
> Hello All:
>
> Does anyone have a recommendation for a default rule set?  I am
> tuning my snort instances and the information I am finding seems to 
> be
> that I need to try to keep my rules under 7k.  The default ET rule 
> set
> is ~15k if I am not mistaken, so I am looking for a good starting
> point.
>
> If anyone could share any wisdom about disabling whole ranges and/or
> categories I would very much appreciate it, also if anyone has a
> standard list of entries to put in my disablesid.conf as a good
> starting point I would be very grateful.
>
> If it helps, I work for a small private university with a sizeable
> resident population of students that I am essentially an ISP for and
> also have the standard office/corporate environment for my
> faculty/staff users too.  Oh, and I have a full BYOD network on both
> the student and faculty/staff networks ... so, yeah ... I don't sleep
> at night.
>
> Thank you in advance for any assistance you may be able offer.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221

First step...determine if you care or not about getting alerts for 
services you're not running (do you want to see alerts regarding pop3 if 
you're not running pop3?).

Next step, determine which services that you ARE running (server side) 
that you want to see alerts on, and what types of things you want to see 
client side (do you care if you see Netflix usage for example?) that you 
want to get alerts on.

Next, disable rulesets that you have NO desire to see (after 
determining the above).  If a ruleset is questionable, leave it in..you 
can always disable the entire ruleset after testing, or add the ones 
that do fire that you don't care about to your threshold.conf file.

Lastly, as I see disablesid.conf in your initial email, read every file 
that pulledpork uses in the etc and doc dirs....that will help you out.

James





More information about the Snort-users mailing list