Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Default Snort Rules

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 25 Feb 2013 16:42:08 -0500
On Feb 25, 2013, at 4:07 PM, Document Retention <document.retention () gmail com> wrote:

Greetings,

How does Sourcefire decide what snort rules are enabled/disabled?  


This answer is going to be extremely long winded, so prepare thyself.

If it is a current exploit in the wild, and/or has good performance (fast content match), Low false positive rate, It's 
important, or current malware/exploit kit, It goes in the default policy (which is balanced).
If it may not be current (current but not in the wild), or *might* have bad performance, or could introduce false 
positives, it'll go into security
If it will have false positives, or is slow, we put it in no policies by default.


Also,  why are some of the rules packaged but never added to snort.conf ?


Are you sure you are using a current snort.conf?
http://www.snort.org/vrt/snort-conf-configurations


Is there a methodology you apply?


Yes, but right now, it's up to the person who reviews the rule and puts it into the ruleset.  We are working on a 
project right now that will make the criteria of these policies extremely clear.  

Right now, there are essentially 7 states a rule can be in at any one time.

Connectivity over Security -> alert/drop (2)
Balanced -> alert/drop (2)
Security over Connectivity -> alert/drop (2)
Off -> 1

= 7 states.

When we get a hard and fast set of instructions about which rules will be in what policies (and there are always 
exceptions) we are going to be publishing a blog post http://blog.snort.org here.  Right now we are collecting numbers 
and seeing where those numbers should be by testing performance and false positive/true positive rate in test systems.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: