Snort mailing list archives
Re: Default rule set
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 16 May 2014 18:13:53 +0000
On May 16, 2014, at 1:16 PM, Kurzawa, Kevin <kkurzawa () co pinellas fl us> wrote:
If you use the "security" ruleset (vs the connectivity or balanced ruleset) then you will end up with around 6K rules. Balanced is a several hundred fewer, I believe. The criteria for what each ruleset consists of is found on the snort.org site. It has to do with age and criticality, basically.
http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html
Pulled Pork has an option in the config file to do this automatically. Oinkmaster does not, that I found. It is why I switched from Oinkmaster to Pulled Pork, myself.
Correct. Pulledpork has this functionality by default.
-----Original Message----- From: Sallee, Jake [mailto:Jake.Sallee () umhb edu] Sent: Friday, May 16, 2014 1:01 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Default rule set Hello All: Does anyone have a recommendation for a default rule set? I am tuning my snort instances and the information I am finding seems to be that I need to try to keep my rules under 7k. The default ET rule set is ~15k if I am not mistaken, so I am looking for a good starting point. If anyone could share any wisdom about disabling whole ranges and/or categories I would very much appreciate it, also if anyone has a standard list of entries to put in my disablesid.conf as a good starting point I would be very grateful. If it helps, I work for a small private university with a sizeable resident population of students that I am essentially an ISP for and also have the standard office/corporate environment for my faculty/staff users too. Oh, and I have a full BYOD network on both the student and faculty/staff networks ... so, yeah ... I don't sleep at night. Thank you in advance for any assistance you may be able offer. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Default rule set Sallee, Jake (May 16)
- Re: Default rule set James Lay (May 16)
- Re: Default rule set Kurzawa, Kevin (May 16)
- Re: Default rule set Joel Esler (jesler) (May 16)
- Re: Default rule set waldo kitty (May 16)
- Re: Default rule set Y M (May 17)
- Re: Default rule set waldo kitty (May 17)
- Message not available
- Message not available
- Re: Default rule set Sallee, Jake (May 17)
- Message not available
- Default rule set Sallee, Jake (May 17)
- Re: Default rule set Y M (May 18)
- Re: Default rule set Jefferson, Shawn (May 23)