Snort mailing list archives
Default Rules
From: Clue Store <cluestore () gmail com>
Date: Mon, 21 Jun 2010 07:59:53 -0500
Hi All, I’m new to Snort, so take it easy :) I have enabled the portscan preprocessor and am detecting port scans from Nessus and Nmap, but if I disable that preprocessor, i’m not getting much else in the way of intrusions (this could be due to the fact that im only sniffing a small amount of traffic for a few hosts). I also see that alot of the rules are #‘d out, so they aren’t being used. 1. Should I uncomment out some of these some or all of the rules (for example, I have alot of different SQL servers on my network I want to protect). What about the bad-traffic.rules, etc??? Are these commented out due to too many false positives and noise??? 2. What is a good way of testing some of the rules out?? Do I deploy an un-patched server with IIS and SQL for example that have known vulnerabilities?? Honeypots?? Thanks, Max
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Default Rules Clue Store (Jun 21)
- Re: Default Rules Alex Kirk (Jun 21)
- Re: Default Rules Clue Store (Jun 21)
- Re: Default Rules Joe Pampel (Jun 21)
- Re: Default Rules Clue Store (Jun 21)
- Re: Default Rules Alex Kirk (Jun 21)