Snort mailing list archives
Re: Rules commented
From: Y M <snort () outlook com>
Date: Fri, 21 Dec 2012 19:47:03 +0000
inline.Date: Fri, 21 Dec 2012 10:02:53 -0500 From: juan.valencia () seguratec com co To: snort-users () lists sourceforge net Subject: [Snort-users] Rules commented Hi guys, I have snort integrated with another security product that basically parse the alerts sent by snort and take action over the node. I have been reviewing the snort rules and I have seen that there are a lot of rules commented, after that I have a simple of questions: What is the reason because there are a lot of rules commented ?, will we have problems if I uncomment all the rules?. First part of the question, is because of two reasons based on my knowledge:1. Every network is different and has its own traffice. Rules must be tuned to match your needs.2. Policy. Snort team has devised a 4-type policy: connectivity, balanced, security, and no policy (no policy defined). You can read more about this and the reasons of hows/whys at the below links: http://blog.snort.org/2012/01/importance-of-pulledpork.htmlhttp://blog.snort.org/2012/03/rule-category-reorganization.html These and the embedded links will give you a good idea. For the second part of the question, I would say yes. Too many unmanagable alerts/rules, alerts that may mean nothing to your environment, and performance issues. What is the best way to begin activate this rules? PulledPork will be the way to go. Which is also explained in the first link. Thanks for your advance, Best regards, P.D: Maybe this question was resolve long time ago, and I just didn't search correctly. -- JUAN CAMILO VALENCIA VARGAS Ingeniero de Operaciones SeguraTec S.A.S Calle 11 # 43B-50 of 307Medelllín Colombia “Choose a job you love, and you will never have to work a day in your life” ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules commented Juan Camilo Valencia (Dec 21)
- Re: Rules commented Y M (Dec 21)