[SNORT] Best rule categories to enable/disable

[eslerj at gmail.com (Joel Esler)]

The basic answer is:  What is on your network, what are you trying to catch,
and what are you interested in?
Start with Operating Systems.
What OSes do you have?  Turn those rules on.  (netbios.rules,
attack-response.rules, web-client.rules)
What browsers (and versions) do you have, turn those rules on.
What Programs do you use, turn those rules on.  (Do you use AOL Instant
Messenger?)

What are you trying to catch:
Employees surfing porn? (porn.rules)
Employees that have spyware? (spyware-put.rules)
Employees that are running unauthorized programs? (policy.rules, chat.rules)
Viruses? (specific-threats.rules, virus.rules, exploit.rules)
Exploits?
etc

What are you interested in:
More of the above, but these are more optional:
policy.rules
chat.rules

You see my point.

Don't turn everything on because that will only create more work than you
need, only turn on what you intended to DO something with, tailored to your
network.

What is actionable?  Go with that.

J


On Wed, Sep 30, 2009 at 10:18 AM, Ben Greenfield <bcg at struxural.com> wrote:

> It certainly sounds like you are running snort inline.  I recommend
> tuning the snort.conf file to be a very accurate representation of the
> network snort is seeing traffic for.  Are you running snort on your
> internal network or on your WAN connection?  It sounds like you are
> running snort on your WAN connection.  I would only run rule
> categories that relate to services you are actually running - if you
> don't have any HTTP servers accepting connections where Snort can see
> them, you don't need to run the HTTP rules, etc.
>
> On Wed, Sep 30, 2009 at 9:19 AM, Will Metcalf <william.metcalf at gmail.com>
> wrote:
> > If you are running in passive mode this should not happen.  If you are
> > running inline then you should run with alert only rules until you can
> > weed out false positives and then convert to drop rules one rule file
> > at a time, or for certian types of events that you know you should
> > never see in your environment.
> >
> > Regards,
> >
> > Will
> >
> > On Wed, Sep 30, 2009 at 2:18 AM, Thomas Fischer <tvfischer at gmail.com>
> wrote:
> > > So outside of enabling everything, which I can't seem to do as it is
> > > seriously impairing my network access by slow load times, pictures not
> > > showing up, IM disconnections, gaming issues.
> > > Which package rules would you enable or disable to have a safe but
> optimized
> > > snort-ids probe?
> > > Cheers
> > >
> > > --
> > > Thomas Fischer
> > >     email: tvfischer at gmail.com tvfischer at free.fr  twitter.com/FVT
> > >  fvter.wordpress.com
> > >     IM:  gTalk:tvfischer at gmail.com <gTalk%3Atvfischer at gmail.com>
> MSN:tvfischer at hotmail.com <MSN%3Atvfischer at hotmail.com>
> > > Y!:tvfischer_FR
> > >     PGP Key:
> https://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0x27FBA97646CF2077
> > >
>  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > Sent from Crosne, France
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090930/a958c721/attachment.htm