RE: Snort Questions

["Michael Steele" <michaels () silicondefense com>]

Sandy,

This can be very subjective on what really needs to be omitted. I think
going through and removing what you don't need first, is a good first
step. Then start the procedure of really scrutinizing the remainder of
the rules.

If you are not running IIS then dump the IIS.rules. If you're not
running Cold Fusion, then dump those. Do that on your first round. Then
start the tedious task of removing individual rules that you know you
really don't care about, or need.

There are a couple of things you can do to Improve performance too, if
that is a concern.

-Michael
--
 Michael Steele | System Engineer / Support Technician
 mailto:michaels () silicondefense com
 Silicon Defense: IDS solutions - http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Sandy
Martin
Sent: Thursday, June 20, 2002 5:23 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort Questions

I have been studying Snort on Windows for a couple of weeks now and have
gotten a pretty good idea of how it works and how to deploy it.

If it ok, I would like to ask a couple of questions to clarify a couple
of
points.

First, after looking through the rules, I noticed a wide variety of
rules
for a cross section of platforms. I understand that they were written
that
way on purpose. My question is, is it ok to go through and edit these
rules
to remove all of the *nix related stuff? Our network is composed of 20
nodes. All Windows 2000 with 1 Windows 2000 Server. The server is a DC
but
not a web/mail, etc. server. So, I was thinking that to improve
performance
and reduce false positives, I could go through and edit the rules
leaving
only the Win32 stuff in. Is this a good route to go?

The second question is as follows. Given the pretty basic network setup
described above, can someone give my a good idea of which rules are good
to
start with (before I get into editing them)? Obviously, some like X11
and
web-coldfusion would not be necessary. What would be a good starting
point?
Any input here?

Thank you to anyone that is able to help.

Sandy
Low man on the totem pole



-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users