Snort mailing list archives
Re: how to acquire best setting of snort rules?
From: Kevin Ross <kevross33 () googlemail com>
Date: Mon, 18 Apr 2011 15:13:11 +0100
woops wrong list posted too. On 18 April 2011 15:12, Kevin Ross <kevross33 () googlemail com> wrote:
have a look at pulledpork to manage your rules. disable what you don't have/need and then have it run to download new rules. Generally the more unecessary stuff you tune out the better as you will be wasting time on alerts which don't matter and false positives. Also if you enabled them all you will get lots of alerts which are false positives so you need to tune for your network. Generally (if using pulled pork where it puts all rules into a snort.rules file) 1) disable entire rulesets you do not need for things you have (i.e if you don't have oracle put oracle.rules to be disabled) 2) The hard bit, ideally you will go through all rules and disable/enable what you do and don't need. i.e GID:SID (1 for normal rules, 3 for shared object) and then sid (it is at the end of the rule, you will see a value of sid:XXXXXX; so it would become 1:2008315,3:15695,3:16231,1:16055,3:13570,3:16228 etc 3) Tune FPs for enabled rules (threshold.conf etc) While there is more you can do if you do this you will have much better performance. Also if you have your sensor inline I would recommend not dropping anything at first until you determine what your performance is like (try using performance preprocessors too). This may help you too: http://vrt-blog.snort.org/2010/01/vrt-guide-to-ids-ruleset-tuning.html http://www.snort.org/assets/163/WhitePaper_Snort_PerformanceTuning_2009.pdf Kev On 16 April 2011 14:34, M.Turner Turner <msbzag () gmail com> wrote:Hi how to acquire best setting of snort rules? can i change the action of all rules to reject, to achive the best security? can i enable all rules , to achive the best security? thanks ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to acquire best setting of snort rules? M.Turner Turner (Apr 17)
- Re: how to acquire best setting of snort rules? Joel Esler (Apr 17)
- Message not available
- Re: how to acquire best setting of snort rules? Joel Esler (Apr 18)
- Message not available
- Re: how to acquire best setting of snort rules? Joel Esler (Apr 17)
- Message not available
- Re: how to acquire best setting of snort rules? Kevin Ross (Apr 18)