Snort mailing list archives
Re: Default rule set
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 16 May 2014 11:14:31 -0600
On 2014-05-16 11:01, Sallee, Jake wrote:
Hello All: Does anyone have a recommendation for a default rule set? I am tuning my snort instances and the information I am finding seems to be that I need to try to keep my rules under 7k. The default ET rule set is ~15k if I am not mistaken, so I am looking for a good starting point. If anyone could share any wisdom about disabling whole ranges and/or categories I would very much appreciate it, also if anyone has a standard list of entries to put in my disablesid.conf as a good starting point I would be very grateful. If it helps, I work for a small private university with a sizeable resident population of students that I am essentially an ISP for and also have the standard office/corporate environment for my faculty/staff users too. Oh, and I have a full BYOD network on both the student and faculty/staff networks ... so, yeah ... I don't sleep at night. Thank you in advance for any assistance you may be able offer. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221
First step...determine if you care or not about getting alerts for services you're not running (do you want to see alerts regarding pop3 if you're not running pop3?). Next step, determine which services that you ARE running (server side) that you want to see alerts on, and what types of things you want to see client side (do you care if you see Netflix usage for example?) that you want to get alerts on. Next, disable rulesets that you have NO desire to see (after determining the above). If a ruleset is questionable, leave it in..you can always disable the entire ruleset after testing, or add the ones that do fire that you don't care about to your threshold.conf file. Lastly, as I see disablesid.conf in your initial email, read every file that pulledpork uses in the etc and doc dirs....that will help you out. James ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Default rule set Sallee, Jake (May 16)
- Re: Default rule set James Lay (May 16)
- Re: Default rule set Kurzawa, Kevin (May 16)
- Re: Default rule set Joel Esler (jesler) (May 16)
- Re: Default rule set waldo kitty (May 16)
- Re: Default rule set Y M (May 17)
- Re: Default rule set waldo kitty (May 17)
- Message not available
- Message not available
- Re: Default rule set Sallee, Jake (May 17)
- Message not available
- Default rule set Sallee, Jake (May 17)
- Re: Default rule set Y M (May 18)
- Re: Default rule set Jefferson, Shawn (May 23)