Re: same question about snort rules

[Jason Wallace <jason.r.wallace () gmail com>]

On Wed, Aug 3, 2011 at 11:53 PM, Zhuxian <zhuxian () huawei com> wrote:
> 1. Does snort provide the test tools and test model to test these rules? Or is there any suggested tools to test 
> these rules?
>   If snort does not provide, does SourceFire provide?

I do not know of any testing tools related to to snort rules in
general. What type of testing are you looking for?

> 2. Some rules are commented in rules file released by snort. Does this means these are the default rules setting for 
> snort? Is their any references or guides for the customer to tune the rule set?

The rules are broken up into three policy groups Connectivity,
Balanced, and Security. Take a look at...

 http://code.google.com/p/pulledpork/source/browse/trunk/doc/README.RULESET

For a high level view of these policies. I'm not sure what policy the
default state of the rules is tied to. If you use a rule management
tool that can use theses policy settings, like pulledpork, then it
will enable/disable rules based on what policy you choose. These
policies are just a starting point. What you run for rules depends on
what you are trying to protect. If you are not running Windows
servers, you can turn off all the windows related rules. If you are
running Apache, then you probably want to turn those rule on. Even
then you want to be specific about what rules you enable. Just because
you are running Apache doesn't mean you need to run all the Apache
related rules. If you are running an older version of Apache you would
need to run more rules than if it were the current version of Apache.
What rules you enable should be tied to what OS you are using, what
applications/services you want to protect, and what vulnerabilities
those OS's and apps/services have. There are also more general rules
that look for things like malware and policy violations. Whether or
not you enable those rules depends on what you do or do not allow in
your environment.

For general tuning information look at some of the webcasts at snort.org...

http://www.snort.org/community/snort-webcast-series/


> Regards,
> Kurtzhu
>
>
> ------------------------------------------------------------------------------
> BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos & much more. Register early & save!
> http://p.sf.net/sfu/rim-blackberry-1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org