Re: Default rule set

["Kurzawa, Kevin" <kkurzawa () co pinellas fl us>]

If you use the "security" ruleset (vs the connectivity or balanced ruleset) then you will end up with around 6K rules. 
Balanced is a several hundred fewer, I believe. The criteria for what each ruleset consists of is found on the 
snort.org site. It has to do with age and criticality, basically.

Pulled Pork has an option in the config file to do this automatically. Oinkmaster does not, that I found. It is why I 
switched from Oinkmaster to Pulled Pork, myself.


-----Original Message-----
From: Sallee, Jake [mailto:Jake.Sallee () umhb edu] 
Sent: Friday, May 16, 2014 1:01 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Default rule set

Hello All:

Does anyone have a recommendation for a default rule set?  I am tuning my snort instances and the information I am 
finding seems to be that I need to try to keep my rules under 7k.  The default ET rule set is ~15k if I am not 
mistaken, so I am looking for a good starting point.

If anyone could share any wisdom about disabling whole ranges and/or categories I would very much appreciate it, also 
if anyone has a standard list of entries to put in my disablesid.conf as a good starting point I would be very grateful.

If it helps, I work for a small private university with a sizeable resident population of students that I am 
essentially an ISP for and also have the standard office/corporate environment for my faculty/staff users too.  Oh, and 
I have a full BYOD network on both the student and faculty/staff networks ... so, yeah ... I don't sleep at night.

Thank you in advance for any assistance you may be able offer.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ 
browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get 
started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!