Snort mailing list archives
Re: How to decide which rules should be enabled.
From: Jeremy Hoel <jthoel () gmail com>
Date: Wed, 18 Jul 2012 13:29:41 +0000
To test a snort config it's 'snort -T -c <path to snort.conf file>' To see if it's detecting alerts, make a rule in local.rules that alerts on any any and then start snort and see that an alert gets generated (best to have barnyard output to syslog at this point). Once alerts are generated, then have barnyard go to unified2 and away you go. As for rule enabling and tweaking, that's a much larger topic. Each site being different, what we do (did) was use pulledpork to enable the groups of rules that we wanted and then used disabled and threshold to remove or squash rules that we didn't need. Then we would add another group and see what changes over time. there's no real easy right or wrong way to add rules, but via trial and error. On Wed, Jul 18, 2012 at 7:47 AM, Bravo Snipper <snipperbravo () yahoo com> wrote:
Hi After snort installation now how can we decide that which rules should be enabled or we should enable all the rules given by snort. Can any one please share some tutorial regarding this aspect of snort configuration. Plus can any one name some standard set of tools to test snorts setup. regards. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to decide which rules should be enabled. Bravo Snipper (Jul 18)
- Re: How to decide which rules should be enabled. Jeremy Hoel (Jul 18)
- Re: How to decide which rules should be enabled. Tony Robinson (Jul 18)
- Re: How to decide which rules should be enabled. Tony Robinson (Jul 18)
- Re: How to decide which rules should be enabled. Bravo Snipper (Jul 19)
- Re: How to decide which rules should be enabled. Lay, James (Jul 19)
- Re: How to decide which rules should be enabled. Joel Esler (Jul 19)
- Re: How to decide which rules should be enabled. Lay, James (Jul 19)
- Re: How to decide which rules should be enabled. Castle, Shane (Jul 19)
- Re: How to decide which rules should be enabled. JJC (Jul 19)
- Re: How to decide which rules should be enabled. Joel Esler (Jul 19)
- Re: How to decide which rules should be enabled. Tony Robinson (Jul 18)