Filtering the Snort Rule Set for Firewall Blocks

[James Chase <james () mandala-designs com>]

Hi,

I have recently setup a Snort sensor and am using snortsam with barnyard 
connected to an openBSD firewall to dynamically block IP's that trigger 
subsets of rules in snort.

My question is what is the best way to sort out a good rule set for our 
environment? Is there a general list of known rules that are always bad 
traffic that people are using, or is it really just watching the IDS 
everyday and adding alerts that appear to be malicious and removing 
those that seem to alert on legitimate traffic? I notice a lot of rules 
have very general triggers, like accessing any page with calendar.php in 
it, and I notice that if the system we have setup were in production 
there would be a lot of good traffic being blocked.

And is anyone else using a setup with snort adding blocks on the 
firewall, and if so what is your setup like, how long do you block 
traffic for, and how do you mitigate the risk of blocking legitimate 
users for applications where the source IP's are dynamic.

Thanks for any feedback,
James

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users