Snort mailing list archives
RE: Snort Questions
From: "Michael Steele" <michaels () silicondefense com>
Date: Thu, 20 Jun 2002 08:22:26 -0700
Sandy, This can be very subjective on what really needs to be omitted. I think going through and removing what you don't need first, is a good first step. Then start the procedure of really scrutinizing the remainder of the rules. If you are not running IIS then dump the IIS.rules. If you're not running Cold Fusion, then dump those. Do that on your first round. Then start the tedious task of removing individual rules that you know you really don't care about, or need. There are a couple of things you can do to Improve performance too, if that is a concern. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Sandy Martin Sent: Thursday, June 20, 2002 5:23 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort Questions I have been studying Snort on Windows for a couple of weeks now and have gotten a pretty good idea of how it works and how to deploy it. If it ok, I would like to ask a couple of questions to clarify a couple of points. First, after looking through the rules, I noticed a wide variety of rules for a cross section of platforms. I understand that they were written that way on purpose. My question is, is it ok to go through and edit these rules to remove all of the *nix related stuff? Our network is composed of 20 nodes. All Windows 2000 with 1 Windows 2000 Server. The server is a DC but not a web/mail, etc. server. So, I was thinking that to improve performance and reduce false positives, I could go through and edit the rules leaving only the Win32 stuff in. Is this a good route to go? The second question is as follows. Given the pretty basic network setup described above, can someone give my a good idea of which rules are good to start with (before I get into editing them)? Obviously, some like X11 and web-coldfusion would not be necessary. What would be a good starting point? Any input here? Thank you to anyone that is able to help. Sandy Low man on the totem pole ------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Questions Sandy Martin (Jun 20)
- Re: Snort Questions Mike Shaw (Jun 20)
- RE: Snort Questions Michael Steele (Jun 20)