Re: some question about snort rules

[Zhuxian <zhuxian () huawei com>]

For the VRT rules,  how i know which rules related to which OS, such as windows, Suse? I have not found any attribute 
in the rule to indicate it is windows related or not. 

And for the Apache, how i know which rules related to Apache? I can't find any rule file named apache.rules.  Do you 
means i should enable all rules in web-**.rules files? 



> -----Original Message-----
> From: Jason Wallace [mailto:jason.r.wallace () gmail com] 
> Sent: Thursday, August 04, 2011 8:44 PM
> To: Zhuxian
> Cc: snort-sigs () lists sourceforge net; Likun
> Subject: Re: [Snort-sigs] same question about snort rules
>
> On Wed, Aug 3, 2011 at 11:53 PM, Zhuxian <zhuxian () huawei com> wrote:
> > 1. Does snort provide the test tools and test model to test 
> these rules? Or is there any suggested tools to test these rules?
> >   If snort does not provide, does SourceFire provide?
>
> I do not know of any testing tools related to to snort rules 
> in general. What type of testing are you looking for?
>
> > 2. Some rules are commented in rules file released by snort. 
> Does this means these are the default rules setting for snort? 
> Is their any references or guides for the customer to tune the 
> rule set?
> >
>
> The rules are broken up into three policy groups Connectivity, 
> Balanced, and Security. Take a look at...
>
>
> http://code.google.com/p/pulledpork/source/browse/trunk/doc/REA
> DME.RULESET
>
> For a high level view of these policies. I'm not sure what 
> policy the default state of the rules is tied to. If you use a 
> rule management tool that can use theses policy settings, like 
> pulledpork, then it will enable/disable rules based on what 
> policy you choose. These policies are just a starting point. 
> What you run for rules depends on what you are trying to 
> protect. If you are not running Windows servers, you can turn 
> off all the windows related rules. If you are running Apache, 
> then you probably want to turn those rule on. Even then you 
> want to be specific about what rules you enable. Just because 
> you are running Apache doesn't mean you need to run all the 
> Apache related rules. If you are running an older version of 
> Apache you would need to run more rules than if it were the 
> current version of Apache.
> What rules you enable should be tied to what OS you are using, 
> what applications/services you want to protect, and what 
> vulnerabilities those OS's and apps/services have. There are 
> also more general rules that look for things like malware and 
> policy violations. Whether or not you enable those rules 
> depends on what you do or do not allow in your environment.
>
> For general tuning information look at some of the webcasts at 
> snort.org...
>
> http://www.snort.org/community/snort-webcast-series/
>
>
> > Regards,
> > Kurtzhu
> ----------------------------------------------------------------------
> > -------- BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, 
> > CA The must-attend event for mobile developers. Connect with experts.
> > Get tools for creating Super Apps. See the latest technologies.
> > Sessions, hands-on labs, demos & much more. Register early & save!
> > http://p.sf.net/sfu/rim-blackberry-1
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!