Re: Default Rules

[Joe Pampel <jpampel () paladyne com>]

Jm2c:


1.       Ideally you should adjust the rulebase to reflect your network. If you are not running Oracle, disable Oracle 
rules as an example. Someone could throw Oracle attacks at you all day and you really don't care. ;) You  want to limit 
the number of hits you get to be things you need to care about. There are so many random SSH, ICMP, etc scans that no 
one could ever follow up on them all.  I use IDS Policy Manager (http://www.activeworx.org/Default.aspx?tabid=55) to 
track my rules which makes it a lot easier to see what they all are, turn them one and off, etc.

2.       Good way to "test" it out is to tap traffic outside your internet facing router and see all the bad stuff in 
the wild. Your sensor will get a workout. ;)   Not realistic, but you will see rules fire.

3.       My advice is to download Splunk and have it collect your snort logs (or have snort syslog to splunk). The free 
version is very cost effective ;) and does not choke on large numbers of entries. It's also helpful to ID patterns in 
your alert traffic.  For example, I have a person in Poland who SNMP scans me 1 host at a time, 2 packets a day. For 
the past month. :) I doubt I would have noticed that otherwise with all the other daily excitement.

4.       I would not deploy anything deliberately vulnerable other than a purpose built honeypot.


From: Clue Store [mailto:cluestore () gmail com]
Sent: Monday, June 21, 2010 9:00 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Default Rules


Hi All,

I'm new to Snort, so take it easy :) I have enabled the portscan preprocessor and am detecting port scans from Nessus 
and Nmap, but if I disable that preprocessor, i'm not getting much else in the way of intrusions (this could be due to 
the fact that im only sniffing a small amount of traffic for a few hosts). I also see that alot of the rules are #'d 
out, so they aren't being used.

1. Should I uncomment out some of these some or all of the rules (for example, I have alot of different SQL servers on 
my network I want to protect). What about the bad-traffic.rules, etc??? Are these commented out due to too many false 
positives and noise???
2. What is a good way of testing some of the rules out?? Do I deploy an un-patched server with IIS and SQL for example 
that have known vulnerabilities?? Honeypots??

Thanks,
Max

________________________________
The information contained in this correspondence is intended solely for the person or entity entitled to receive the 
confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone 
other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, 
please destroy and/or delete this correspondence and the attachment(s).

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users