Snort mailing list archives
Re: same question about snort rules
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 4 Aug 2011 08:44:25 -0400
On Wed, Aug 3, 2011 at 11:53 PM, Zhuxian <zhuxian () huawei com> wrote:
1. Does snort provide the test tools and test model to test these rules? Or is there any suggested tools to test these rules? If snort does not provide, does SourceFire provide?
I do not know of any testing tools related to to snort rules in general. What type of testing are you looking for?
2. Some rules are commented in rules file released by snort. Does this means these are the default rules setting for snort? Is their any references or guides for the customer to tune the rule set?
The rules are broken up into three policy groups Connectivity, Balanced, and Security. Take a look at... http://code.google.com/p/pulledpork/source/browse/trunk/doc/README.RULESET For a high level view of these policies. I'm not sure what policy the default state of the rules is tied to. If you use a rule management tool that can use theses policy settings, like pulledpork, then it will enable/disable rules based on what policy you choose. These policies are just a starting point. What you run for rules depends on what you are trying to protect. If you are not running Windows servers, you can turn off all the windows related rules. If you are running Apache, then you probably want to turn those rule on. Even then you want to be specific about what rules you enable. Just because you are running Apache doesn't mean you need to run all the Apache related rules. If you are running an older version of Apache you would need to run more rules than if it were the current version of Apache. What rules you enable should be tied to what OS you are using, what applications/services you want to protect, and what vulnerabilities those OS's and apps/services have. There are also more general rules that look for things like malware and policy violations. Whether or not you enable those rules depends on what you do or do not allow in your environment. For general tuning information look at some of the webcasts at snort.org... http://www.snort.org/community/snort-webcast-series/
Regards, Kurtzhu ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- same question about snort rules Zhuxian (Aug 03)
- Re: same question about snort rules Jason Wallace (Aug 04)
- Re: some question about snort rules Zhuxian (Aug 17)
- Re: some question about snort rules Joel Esler (Aug 17)
- Re: some question about snort rules JJC (Aug 17)
- Re: some question about snort rules Zhuxian (Aug 17)
- Re: same question about snort rules Jason Wallace (Aug 04)
- Re: same question about snort rules Joel Esler (Aug 04)
- Re: same question about snort rules Will Metcalf (Aug 04)
- Re: same question about snort rules Joel Esler (Aug 04)
- Re: same question about snort rules rmkml (Aug 04)
- Re: same question about snort rules rmkml (Aug 04)
- Re: same question about snort rules Joel Esler (Aug 04)
- Re: same question about snort rules Will Metcalf (Aug 04)