Snort mailing list archives

Re: Choosing the best rules

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 24 Feb 2014 12:22:39 -0700

On Mon, 2014-02-24 at 19:14 +0000, Richard Harman Jr (rharmanj) wrote:

There's also the policy type in the rule metadata, which can be used
by PulledPork.  Here's a couple blog posts on the policies, and
pulledpork.


http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html
http://blog.snort.org/2012/01/importance-of-pulledpork.html


Richard


From: SnortFan <SnortFan () yahoo com>
Date: Monday, February 24, 2014 at 1:41 PM
To: Michal Šutta <michal.sutta () gmail com>
Cc: "snort-users () lists sourceforge net"
<snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Choosing the best rules



That's a loaded question. What rules you enable should be dependent on
your environment/network etc...  


I use pulled pork and use the enablesid.conf and disablesid.conf to
turn on categories and disable certain rules. It's a constant
tuning.  Enabling all rules could put a heavy load on snort and flood
where your storing the results (i.e. Base).  


Hope that helps,
Ed


Sent from a mobile device. 


        On Feb 24, 2014, at 12:12 PM, Michal Šutta
        <michal.sutta () gmail com> wrote:
        
        Hello,
        
        which rules should be enabled when I want to test Snort ? I
        downloaded the newest rules snortrules-snapshot-2960.tar.gz
        but there are only around 4000 rules enabled. Is it a good
        idea to enable them all ? Is there a quick way to configure
        security policy usidng pulledpork or oinkmaster ?


What's in your environment?  You running a web server, load up the web
rules.  Running pop3?  Load those up....if you're not, then don't load
them.

James

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Choosing the best rules Michal Šutta (Feb 24)
- Re: Choosing the best rules SnortFan (Feb 24)
  - Re: Choosing the best rules Richard Harman Jr (rharmanj) (Feb 24)
    - Re: Choosing the best rules James Lay (Feb 24)