Snort mailing list archives
Re: Filtering the Snort Rule Set for Firewall Blocks
From: CunningPike <cunningpike () gmail com>
Date: Fri, 28 Aug 2009 13:54:56 -0700
We ran our sensor for quite a while before we started using snortsam so we could get a feel for which rules would be good block candidates - I would advise you to do the same. The Emerging Threats project (http://www.emergingthreats.net/) has a couple of block rulesets that block known RBN hosts and so forth - they might be a good start for snortsam, but be aware that they are IP-based rules and can be quite processor intensive. You might find the IP blacklist beta code for snort of more interest in this area. CP On Fri, Aug 28, 2009 at 8:26 AM, James Chase <james () mandala-designs com>wrote:
Hi, I have recently setup a Snort sensor and am using snortsam with barnyard connected to an openBSD firewall to dynamically block IP's that trigger subsets of rules in snort. My question is what is the best way to sort out a good rule set for our environment? Is there a general list of known rules that are always bad traffic that people are using, or is it really just watching the IDS everyday and adding alerts that appear to be malicious and removing those that seem to alert on legitimate traffic? I notice a lot of rules have very general triggers, like accessing any page with calendar.php in it, and I notice that if the system we have setup were in production there would be a lot of good traffic being blocked. And is anyone else using a setup with snort adding blocks on the firewall, and if so what is your setup like, how long do you block traffic for, and how do you mitigate the risk of blocking legitimate users for applications where the source IP's are dynamic. Thanks for any feedback, James ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Filtering the Snort Rule Set for Firewall Blocks James Chase (Aug 28)
- Re: Filtering the Snort Rule Set for Firewall Blocks CunningPike (Aug 28)
- Re: Filtering the Snort Rule Set for Firewall Blocks Frank Knobbe (Aug 29)
- Re: Filtering the Snort Rule Set for Firewall Blocks CunningPike (Aug 28)