Snort mailing list archives
Re: which rules to load ?
From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 29 Aug 2012 13:11:58 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 29/08/2012 12:07, Pratik Narang wrote:
Is there anyone out there running who is Snort for a commercial environment or at least for a medium sized network? How does one shortlist on the .rules files to be used and the rules (in them) to be enabled ??
A lot of advice on this topic is best expressed as 'know your network'. If you have no inbound telnet or ftp then telnet.rules and ftp.rules are not so much use. There are currently 3081 VRT rules enabled by default - if you have a fair amount of RAM I'd suggest running them all and seeing what you get. I'd then suggest you use Pulledpork to manage your rules and put the ones that are leading to FPs in disablesid.conf. When PP logs some new rules, look at them and evaluate whether they are applicable to your environment, for example, from this morning for me: - -=BEGIN PULLEDPORK SNORT RULES CHANGELOG, Tracking started on Wed Aug 29 05:45:3 1 2012 GMT=- - -=Begin Changes Logged for Wed Aug 29 05:45:31 2012 GMT=- New Rules BACKDOOR Trojan.Kryptik.Kazy runtime detection (1:23987) BOTNET-CNC Trojan.Dropper connect to server attempt (1:23978) <snip> EXPLOIT HP Data Protector Express stack buffer overflow attempt (1:23979) If you know you don't run HP Data Protector, you can just add those new rules to your disablesid.conf. The difficulty of course lies in whether you know you run an application or not. I don't think there's a magic bullet. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQPgcOAAoJELhVoVpEMS6Rl+kIAIIvrhy7qmawyeQVyQSF+Y5u 7/9q+Tr0FCVA8FFglY8jrnLCjCwZkwr1zRZ2jCzXh0EQ3jKDKZ+9lsRncpkimdyp BDCn9fWR0I+RfJhcuIRWtGnIX1QlvNEEVzWEMB/MsDypSYUhnDgNsUbKmOyJiJ3/ xfnhMeQxtlz93K7ngp2gn9d4az9lHhm91gIUpo6rIbQHc368ONMq8XI9pZTstNA7 sVe1+SMmE2Y617TofRkaeeupRCX5i+vp7oSipw3vuJTHGJNq9ubK8+LFmWKIj+cg tpux+gNI3T3geSN4TLmA4EYN3G06PbCPua1NXmUlwOQq3oXzmyuH4ZBySFiBZHA= =pdOu -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- which rules to load ? Pratik Narang (Aug 29)
- Re: which rules to load ? Peter Bates (Aug 29)
- Re: which rules to load ? Jefferson, Shawn (Aug 29)