PaulDotCom mailing list archives
[SNORT] Best rule categories to enable/disable
From: eslerj at gmail.com (Joel Esler)
Date: Wed, 30 Sep 2009 12:14:08 -0400
The basic answer is: What is on your network, what are you trying to catch, and what are you interested in? Start with Operating Systems. What OSes do you have? Turn those rules on. (netbios.rules, attack-response.rules, web-client.rules) What browsers (and versions) do you have, turn those rules on. What Programs do you use, turn those rules on. (Do you use AOL Instant Messenger?) What are you trying to catch: Employees surfing porn? (porn.rules) Employees that have spyware? (spyware-put.rules) Employees that are running unauthorized programs? (policy.rules, chat.rules) Viruses? (specific-threats.rules, virus.rules, exploit.rules) Exploits? etc What are you interested in: More of the above, but these are more optional: policy.rules chat.rules You see my point. Don't turn everything on because that will only create more work than you need, only turn on what you intended to DO something with, tailored to your network. What is actionable? Go with that. J On Wed, Sep 30, 2009 at 10:18 AM, Ben Greenfield <bcg at struxural.com> wrote:
It certainly sounds like you are running snort inline. I recommend tuning the snort.conf file to be a very accurate representation of the network snort is seeing traffic for. Are you running snort on your internal network or on your WAN connection? It sounds like you are running snort on your WAN connection. I would only run rule categories that relate to services you are actually running - if you don't have any HTTP servers accepting connections where Snort can see them, you don't need to run the HTTP rules, etc. On Wed, Sep 30, 2009 at 9:19 AM, Will Metcalf <william.metcalf at gmail.com> wrote:If you are running in passive mode this should not happen. If you are running inline then you should run with alert only rules until you can weed out false positives and then convert to drop rules one rule file at a time, or for certian types of events that you know you should never see in your environment. Regards, Will On Wed, Sep 30, 2009 at 2:18 AM, Thomas Fischer <tvfischer at gmail.com>wrote:So outside of enabling everything, which I can't seem to do as it is seriously impairing my network access by slow load times, pictures not showing up, IM disconnections, gaming issues. Which package rules would you enable or disable to have a safe butoptimizedsnort-ids probe? Cheers -- Thomas Fischer email: tvfischer at gmail.com tvfischer at free.fr twitter.com/FVT fvter.wordpress.com IM: gTalk:tvfischer at gmail.com <gTalk%3Atvfischer at gmail.com>MSN:tvfischer at hotmail.com <MSN%3Atvfischer at hotmail.com>Y!:tvfischer_FR PGP Key:https://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0x27FBA97646CF2077-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sent from Crosne, France _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090930/a958c721/attachment.htm
Current thread:
- [SNORT] Best rule categories to enable/disable Thomas Fischer (Sep 30)
- [SNORT] Best rule categories to enable/disable Will Metcalf (Sep 30)
- [SNORT] Best rule categories to enable/disable Ben Greenfield (Sep 30)
- [SNORT] Best rule categories to enable/disable Joel Esler (Sep 30)
- [SNORT] Best rule categories to enable/disable Ben Greenfield (Sep 30)
- [SNORT] Best rule categories to enable/disable Jim Chrisos (Sep 30)
- [SNORT] Best rule categories to enable/disable Will Metcalf (Sep 30)