IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort-inline inbound ruleset?

From: Lance Spitzner <lance () honeynet org>
Date: Mon, 3 Feb 2003 11:41:37 -0600 (CST)
On Sun, 2 Feb 2003, John Flynn wrote:


I'm fairly new to the IDS scene. I want to deploy some sort of open
source IPS. I've read most of the stuff from the honeynet project and
those guys are doing a great job with snort-inline. They have a great
default ruleset to filter outgoing traffic. I was wondering if
snort-inline is a recommended approach for an IPS at this point and if
so, does someone have a good default blocking ruleset for incoming
untrusted traffic they could point me to? I have been having a huge
problem with false positive rates with snort on my network and i'm
struggling to come up with an IPS solution that won't block legitimate
traffic. Would people recommend I use hogwash or something else instead
of snort-inline? 


The ruleset used by the Honeynet Project can easily be used for
inbound traffic.  Just swap the variables HONEYNET and EXTERNAL_NET,
so the directions of insepction are reversed.  The current Honeynet
drop ruleset is a minimized rulest designed only to stop known attacks 
and exploits.  Of almost 2,000 possible Snort rules, the Honeynet
drop.rules ruleset has only about 250 rules.  However, this ruleset
is experimental, I'm sure its missing some attacks (if you identify
any that should be added, please let the Project know).

    http://www.honeynet.org/papers/honeynet/tools/drop.rules

lance
Previous By Date Next
Previous By Thread Next

Current thread: