Snort mailing list archives

Re: How to decide which rules should be enabled.


From: Tony Robinson <trobinson () sourcefire com>
Date: Wed, 18 Jul 2012 09:53:04 -0400

Realized I made some typos on my example rule.

it should be alert icmp any any any any (message:"[your message]";
sid:[your sid number]; rev:[rev. number];)

- there should be four any statements in the rule header, message argument
is usually in quotes, and each argument in the rule body must have a
semicolon after it.

... guess my coffee hasn't kicked in yet.

Cheers,

-Tony

On Wed, Jul 18, 2012 at 9:40 AM, Tony Robinson <trobinson () sourcefire com>wrote:

Hi there,

The question around rulesets is one that is very easy to ask, and
exceptionally difficult to answer. It really requires knowing your network
and enabling rules for things that concern you. that is going to differ
from place to place and snort deployment to snort deployment. One person
may be concerned about p2p traffic, or rules that violate corporate policy,
while another may be concerned about botnet CNC rules.

Something that may help you build a good rule baseline is the program
pulled pork. (link to the readme:
http://code.google.com/p/pulledpork/source/browse/trunk/README?r=225) The
program will pull down the latest available rules from snort.org and
allows you to easily build a ruleset based off three base policies:
Connectivity over Security, Balanced, and Security over Connectivity. From
there you can pare down a rule-heavy ruleset, or bulk up one of the smaller
rulesets to meet your needs.

Another recommendation I can make is signing up to the SANS @risk
newsletter. Every Thursday, SANS puts out a newsletter of the top exploits
and malware seen out in the wild, with the help of our very own VRT
(Vulnerability Research Team). Under each vulnerability is an associated
snort SID (or in some cases, multiple SIDs), and an associated ClamAV
signature for detecting the exploit or malware. Best of all, this is a free
resource.

While these aren't definitive answers to your question, they are a very
good start to building a good rule set.

In regards to your question for testing snort, there are many ways of
doing that. Snort has a built-in -T parameter you can use to test the
snort.conf file and ensure that everything is "sane" and that snort will at
least start up.

In terms of testing whether or not snort is actively sniffing traffic off
the wire, a good trick is to create a file called local.rules, include it
in your snort.conf file and create a simple rule such as:

alert icmp any any any (message:[your message here] sid:1000000; rev:1;)

and trying pinging something your snort sensor has visibility on. If you
get alerts, it is a good sign that snort is working. This is usually a
setup step specified in some of the snort install guides on snort.org.

Hope this helps,

-Tony

On Wed, Jul 18, 2012 at 3:47 AM, Bravo Snipper <snipperbravo () yahoo com>wrote:

Hi
After snort installation now how can we decide that which rules should be
enabled or we should enable all the rules given by snort. Can any one
please share some  tutorial regarding this aspect of snort configuration.

Plus can any one name some standard set of tools to  test snorts setup.

regards.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




--

 Tony Robinson
Security Consultant I
SourceFIRE Professional Services Division






-- 

 Tony Robinson
Security Consultant I
SourceFIRE Professional Services Division
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread: