Re: Default Rules

[Clue Store <cluestore () gmail com>]

Hi Joe,

I do understand that I should disable all rules that I know I wont have any
services for. The policy manager looks very cool and I will check it out as
this will probably help me with managing rules.

I have a rather small environment (~30 servers), so with the policy manager,
I should be able to turn on most rules and turn them off as I need to.

Thanks for the info,
Max

On Mon, Jun 21, 2010 at 8:45 AM, Joe Pampel <jpampel () paladyne com> wrote:

>  Jm2c:
>
>
>
> 1.       Ideally you should adjust the rulebase to reflect your network.
> If you are not running Oracle, disable Oracle rules as an example. Someone
> could throw Oracle attacks at you all day and you really don’t care. ;) You
>  want to limit the number of hits you get to be things you need to care
> about. There are so many random SSH, ICMP, etc scans that no one could ever
> follow up on them all.  I use IDS Policy Manager (
> http://www.activeworx.org/Default.aspx?tabid=55) to track my rules which
> makes it a lot easier to see what they all are, turn them one and off, etc.
>
>
> 2.       Good way to “test” it out is to tap traffic outside your internet
> facing router and see all the bad stuff in the wild. Your sensor will get a
> workout. ;)   Not realistic, but you will see rules fire.
>
> 3.       My advice is to download Splunk and have it collect your snort
> logs (or have snort syslog to splunk). The free version is very cost
> effective ;) and does not choke on large numbers of entries. It’s also
> helpful to ID patterns in your alert traffic.  For example, I have a person
> in Poland who SNMP scans me 1 host at a time, 2 packets a day. For the past
> month. J I doubt I would have noticed that otherwise with all the other
> daily excitement.
>
> 4.       I would not deploy anything deliberately vulnerable other than a
> purpose built honeypot.
>
>
>
>
>
> *From:* Clue Store [mailto:cluestore () gmail com]
> *Sent:* Monday, June 21, 2010 9:00 AM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] Default Rules
>
>
>
> Hi All,
>
> I’m new to Snort, so take it easy :) I have enabled the portscan
> preprocessor and am detecting port scans from Nessus and Nmap, but if I
> disable that preprocessor, i’m not getting much else in the way of
> intrusions (this could be due to the fact that im only sniffing a small
> amount of traffic for a few hosts). I also see that alot of the rules are
> #‘d out, so they aren’t being used.
>
> 1. Should I uncomment out some of these some or all of the rules (for
> example, I have alot of different SQL servers on my network I want to
> protect). What about the bad-traffic.rules, etc??? Are these commented out
> due to too many false positives and noise???
>
> 2. What is a good way of testing some of the rules out?? Do I deploy an
> un-patched server with IIS and SQL for example that have known
> vulnerabilities?? Honeypots??
>
>
>
> Thanks,
>
> Max
>
> ------------------------------
> The information contained in this correspondence is intended solely for the
> person or entity entitled to receive the confidential and/or privileged
> material that it may contain. Any review, retransmission, dissemination or
> other use of, or taking of any action in reliance upon, the information in
> this correspondence (including any attachments) by anyone other than the
> intended recipient is strictly prohibited. If you believe that you may not
> be the intended recipient, please destroy and/or delete this correspondence
> and the attachment(s).
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users