Snort mailing list archives

Re: Filtering the Snort Rule Set for Firewall Blocks

From: Frank Knobbe <frank () knobbe us>
Date: Sat, 29 Aug 2009 16:05:49 -0500

On Fri, 2009-08-28 at 13:54 -0700, CunningPike wrote:

We ran our sensor for quite a while before we started using snortsam
so we could get a feel for which rules would be good block candidates
- I would advise you to do the same.

The Emerging Threats project (http://www.emergingthreats.net/) has a
couple of block rulesets that block known RBN hosts and so forth -
they might be a good start for snortsam, but be aware that they are
IP-based rules and can be quite processor intensive. You might find
the IP blacklist beta code for snort of more interest in this area.


I never understood why IP based rules are required to block with
Snortsam. If you know bad IP's already, block'em! Don't wait for the
alert.

Even written rules ready for Snortsam (fwsam option) should be reviewed.
As CP said, run rules for a while and see if the create false positives.
For example, 'content:"Useragent: Morfeus F Scanner"' has a 0 change of
false positives, so it's safe to configure that with autoblock.
'content:"setup.php"' on the other hand may false occasionally, so it's
probably not a good candidate. It really depends on the signature
itself, your environment (only servers, or also users browsing out that
can create alerts that may trigger, what type of servers, etc), and what
level of risk in regards to false positives you want to take.

I myself am cautious, so I only have a couple dozen sigs on auto-block.
Our IDS console allows us to block when we determine it's a real attack.
Your mileage may vary of course. IDS in general is not a
configure-and-forget sorta thing, so don't assume you can just configure
tons of sigs to auto-block and let is run unattended :)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Filtering the Snort Rule Set for Firewall Blocks James Chase (Aug 28)
- Re: Filtering the Snort Rule Set for Firewall Blocks CunningPike (Aug 28)
  - Re: Filtering the Snort Rule Set for Firewall Blocks Frank Knobbe (Aug 29)