Snort mailing list archives
Re: Choosing the best rules
From: "Richard Harman Jr (rharmanj)" <rharmanj () cisco com>
Date: Mon, 24 Feb 2014 19:14:43 +0000
There's also the policy type in the rule metadata, which can be used by PulledPork. Here's a couple blog posts on the policies, and pulledpork. http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html http://blog.snort.org/2012/01/importance-of-pulledpork.html Richard From: SnortFan <SnortFan () yahoo com<mailto:SnortFan () yahoo com>> Date: Monday, February 24, 2014 at 1:41 PM To: Michal Šutta <michal.sutta () gmail com<mailto:michal.sutta () gmail com>> Cc: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] Choosing the best rules That's a loaded question. What rules you enable should be dependent on your environment/network etc... I use pulled pork and use the enablesid.conf and disablesid.conf to turn on categories and disable certain rules. It's a constant tuning. Enabling all rules could put a heavy load on snort and flood where your storing the results (i.e. Base). Hope that helps, Ed Sent from a mobile device. On Feb 24, 2014, at 12:12 PM, Michal Šutta <michal.sutta () gmail com<mailto:michal.sutta () gmail com>> wrote: Hello, which rules should be enabled when I want to test Snort ? I downloaded the newest rules snortrules-snapshot-2960.tar.gz but there are only around 4000 rules enabled. Is it a good idea to enable them all ? Is there a quick way to configure security policy usidng pulledpork or oinkmaster ? ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Choosing the best rules Michal Šutta (Feb 24)
- Re: Choosing the best rules SnortFan (Feb 24)
- Re: Choosing the best rules Richard Harman Jr (rharmanj) (Feb 24)
- Re: Choosing the best rules James Lay (Feb 24)
- Re: Choosing the best rules Richard Harman Jr (rharmanj) (Feb 24)
- Re: Choosing the best rules SnortFan (Feb 24)