Snort mailing list archives

Re: which rules to load ?

From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 29 Aug 2012 13:11:58 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 29/08/2012 12:07, Pratik Narang wrote:

Is there anyone out there running who is Snort for a commercial 
environment or at least for a medium sized network? How does one 
shortlist on the .rules files to be used and the rules (in them) to
be enabled ??


A lot of advice on this topic is best expressed as 'know your network'.
If you have no inbound telnet or ftp then telnet.rules and ftp.rules
are not so much use.

There are currently 3081 VRT rules enabled by default - if you have a
fair amount of RAM I'd suggest running them all and seeing what you get.

I'd then suggest you use Pulledpork to manage your rules and put the
ones that are leading to FPs in disablesid.conf.

When PP logs some new rules, look at them and evaluate whether they
are applicable to your environment, for example, from this morning for me:

- -=BEGIN PULLEDPORK SNORT RULES CHANGELOG, Tracking started on Wed Aug
29 05:45:3
1 2012 GMT=-

- -=Begin Changes Logged for Wed Aug 29 05:45:31 2012 GMT=-

New Rules
        BACKDOOR Trojan.Kryptik.Kazy runtime detection (1:23987)
        BOTNET-CNC Trojan.Dropper connect to server attempt (1:23978)
<snip>
        EXPLOIT HP Data Protector Express stack buffer overflow
attempt (1:23979)

If you know you don't run HP Data Protector, you can just add those
new rules to your disablesid.conf.

The difficulty of course lies in whether you know you run an
application or not. I don't think there's a magic bullet.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQPgcOAAoJELhVoVpEMS6Rl+kIAIIvrhy7qmawyeQVyQSF+Y5u
7/9q+Tr0FCVA8FFglY8jrnLCjCwZkwr1zRZ2jCzXh0EQ3jKDKZ+9lsRncpkimdyp
BDCn9fWR0I+RfJhcuIRWtGnIX1QlvNEEVzWEMB/MsDypSYUhnDgNsUbKmOyJiJ3/
xfnhMeQxtlz93K7ngp2gn9d4az9lHhm91gIUpo6rIbQHc368ONMq8XI9pZTstNA7
sVe1+SMmE2Y617TofRkaeeupRCX5i+vp7oSipw3vuJTHGJNq9ubK8+LFmWKIj+cg
tpux+gNI3T3geSN4TLmA4EYN3G06PbCPua1NXmUlwOQq3oXzmyuH4ZBySFiBZHA=
=pdOu
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

which rules to load ? Pratik Narang (Aug 29)
- Re: which rules to load ? Peter Bates (Aug 29)
- Re: which rules to load ? Jefferson, Shawn (Aug 29)