Default Rules

[Clue Store <cluestore () gmail com>]

Hi All,

I’m new to Snort, so take it easy :) I have enabled the portscan
preprocessor and am detecting port scans from Nessus and Nmap, but if I
disable that preprocessor, i’m not getting much else in the way of
intrusions (this could be due to the fact that im only sniffing a small
amount of traffic for a few hosts). I also see that alot of the rules are
#‘d out, so they aren’t being used.

1. Should I uncomment out some of these some or all of the rules (for
example, I have alot of different SQL servers on my network I want to
protect). What about the bad-traffic.rules, etc??? Are these commented out
due to too many false positives and noise???
2. What is a good way of testing some of the rules out?? Do I deploy an
un-patched server with IIS and SQL for example that have known
vulnerabilities?? Honeypots??

Thanks,
Max

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users