Re: which rules to load ?

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Hi,

Personally, I would do either of these approaches to start (using Pulled Pork... nothing else is as good, IMO)

1. Enable ALL the rules OR use "security" or "balanced" configuration to get started (look in the PulledPork docs for 
an explanation of these).
2. Monitor your system for false positives and remove these via pulledpork.
3. Monitor your system for performance and either use BPFs to exclude traffic, disable poorly performing rules or beef 
up your equipment.

That's it.  No magic formula, just work.


-----Original Message-----
From: Pratik Narang [mailto:pratik.cse.bits () gmail com] 
Sent: Wednesday, August 29, 2012 4:08 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] which rules to load ?

Alright this might sound like a total noob question, but I am badly stuck on this-

How is it to be decided that what Snort rules I should enable/uncomment? The purpose is to configure Snort as an IDS to 
monitor network activity, and alert against the standard set of things an IDS should alert against- buffer overflow 
attacks, injection attacks, port scans & information leaks to name a few, or in general, the attempts to detect/exploit 
vulnerabilities, leak data and evade policies.

Is there anyone out there running who is Snort for a commercial environment or at least for a medium sized network? How 
does one shortlist on the .rules files to be used and the rules (in them) to be enabled ??

Thanks...

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can 
respond. Discussions will include endpoint security, mobile security and the latest in malware threats. 
http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!