[Snort-users] Default rule set

Joel Esler (jesler) jesler at ...589...
Fri May 16 14:13:53 EDT 2014


On May 16, 2014, at 1:16 PM, Kurzawa, Kevin <kkurzawa at ...16800...> wrote:

> If you use the "security" ruleset (vs the connectivity or balanced ruleset) then you will end up with around 6K rules. Balanced is a several hundred fewer, I believe. The criteria for what each ruleset consists of is found on the snort.org site. It has to do with age and criticality, basically.


http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html



> 
> Pulled Pork has an option in the config file to do this automatically. Oinkmaster does not, that I found. It is why I switched from Oinkmaster to Pulled Pork, myself.


Correct.  Pulledpork has this functionality by default.



> 
> 
> -----Original Message-----
> From: Sallee, Jake [mailto:Jake.Sallee at ...15646...] 
> Sent: Friday, May 16, 2014 1:01 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Default rule set
> 
> Hello All:
> 
> Does anyone have a recommendation for a default rule set?  I am tuning my snort instances and the information I am finding seems to be that I need to try to keep my rules under 7k.  The default ET rule set is ~15k if I am not mistaken, so I am looking for a good starting point.
> 
> If anyone could share any wisdom about disabling whole ranges and/or categories I would very much appreciate it, also if anyone has a standard list of entries to put in my disablesid.conf as a good starting point I would be very grateful.
> 
> If it helps, I work for a small private university with a sizeable resident population of students that I am essentially an ISP for and also have the standard office/corporate environment for my faculty/staff users too.  Oh, and I have a full BYOD network on both the student and faculty/staff networks ... so, yeah ... I don't sleep at night.
> 
> Thank you in advance for any assistance you may be able offer.
> 
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
> 
> 900 College St.
> Belton, Texas
> 76513
> 
> Fone: 254-295-4658
> Phax: 254-295-4221
> 
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list