Snort mailing list archives
Re: How to decide which rules should be enabled.
From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 19 Jul 2012 08:24:42 -0600
From: Bravo Snipper [mailto:snipperbravo () yahoo com] Sent: Thursday, July 19, 2012 2:04 AM To: Tony Robinson Cc: snort list Subject: Re: [Snort-users] How to decide which rules should be enabled. Hi Al right I opted for rule policy "security" in pulledpork. Now when i manually downloaded snortrules-snapshot-xxxx I can see different *.rules file, a separate pre_proc directory etc. But when i use pulledpork it only places a singal file snort.rules in rules directory, it has all the rules in single file. Why is it different? Isn't keeping separate rules file e.g scan.rules, web-attack.rules is more manageable. Can this(keeping single rule file or multiple) be configured using pulledpork configuration. Currently I used pulledpork in the following way; -My pulledpork command /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l -ips_policy=security Regards ________________________________________ From: Tony Robinson <trobinson () sourcefire com> To: Bravo Snipper <snipperbravo () yahoo com> Cc: snort list <snort-users () lists sourceforge net> Sent: Wednesday, July 18, 2012 7:53 PM Subject: Re: [Snort-users] How to decide which rules should be enabled. Realized I made some typos on my example rule. it should be alert icmp any any any any (message:"[your message]"; sid:[your sid number]; rev:[rev. number];) - there should be four any statements in the rule header, message argument is usually in quotes, and each argument in the rule body must have a semicolon after it. ... guess my coffee hasn't kicked in yet. Cheers, -Tony On Wed, Jul 18, 2012 at 9:40 AM, Tony Robinson <trobinson () sourcefire com> wrote: Hi there, The question around rulesets is one that is very easy to ask, and exceptionally difficult to answer. It really requires knowing your network and enabling rules for things that concern you. that is going to differ from place to place and snort deployment to snort deployment. One person may be concerned about p2p traffic, or rules that violate corporate policy, while another may be concerned about botnet CNC rules. Something that may help you build a good rule baseline is the program pulled pork. (link to the readme: http://code.google.com/p/pulledpork/source/browse/trunk/README?r=225) The program will pull down the latest available rules from snort.org and allows you to easily build a ruleset based off three base policies: Connectivity over Security, Balanced, and Security over Connectivity. From there you can pare down a rule-heavy ruleset, or bulk up one of the smaller rulesets to meet your needs. Another recommendation I can make is signing up to the SANS @risk newsletter. Every Thursday, SANS puts out a newsletter of the top exploits and malware seen out in the wild, with the help of our very own VRT (Vulnerability Research Team). Under each vulnerability is an associated snort SID (or in some cases, multiple SIDs), and an associated ClamAV signature for detecting the exploit or malware. Best of all, this is a free resource. While these aren't definitive answers to your question, they are a very good start to building a good rule set. In regards to your question for testing snort, there are many ways of doing that. Snort has a built-in -T parameter you can use to test the snort.conf file and ensure that everything is "sane" and that snort will at least start up. In terms of testing whether or not snort is actively sniffing traffic off the wire, a good trick is to create a file called local.rules, include it in your snort.conf file and create a simple rule such as: alert icmp any any any (message:[your message here] sid:1000000; rev:1;) and trying pinging something your snort sensor has visibility on. If you get alerts, it is a good sign that snort is working. This is usually a setup step specified in some of the snort install guides on snort.org. Hope this helps, -Tony On Wed, Jul 18, 2012 at 3:47 AM, Bravo Snipper <snipperbravo () yahoo com> wrote: Hi After snort installation now how can we decide that which rules should be enabled or we should enable all the rules given by snort. Can any one please share some tutorial regarding this aspect of snort configuration. Plus can any one name some standard set of tools to test snorts setup. regards. Bravo, There are two schools of thought for IDS.....alert on everything regardless if it's in your environment, or alert on things only in your environment. Alerting on everything gives you a broader picture of who/what is attacking you; alerting on just what you're running is more focused and will most likely fire less alerts that you'll have to deal with. It really depends on what YOU want to see...do you want to see if someone is attacking pop3 if it's not open and running, or do you just care about what services you're running? As for the single snort.rules file versus many rule files, could depend on how you're doing it. An a machine running just one instance of snort, the single file is nice. If you've got multiple instances that have different requirements, then separate rules files seems to be the way to go. Hope that helps. James ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to decide which rules should be enabled. Bravo Snipper (Jul 18)
- Re: How to decide which rules should be enabled. Jeremy Hoel (Jul 18)
- Re: How to decide which rules should be enabled. Tony Robinson (Jul 18)
- Re: How to decide which rules should be enabled. Tony Robinson (Jul 18)
- Re: How to decide which rules should be enabled. Bravo Snipper (Jul 19)
- Re: How to decide which rules should be enabled. Lay, James (Jul 19)
- Re: How to decide which rules should be enabled. Joel Esler (Jul 19)
- Re: How to decide which rules should be enabled. Lay, James (Jul 19)
- Re: How to decide which rules should be enabled. Castle, Shane (Jul 19)
- Re: How to decide which rules should be enabled. JJC (Jul 19)
- Re: How to decide which rules should be enabled. Joel Esler (Jul 19)
- Re: How to decide which rules should be enabled. Tony Robinson (Jul 18)