Snort mailing list archives

Re: default snort rules

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 8 Jul 2014 22:19:39 +0000


On Jul 8, 2014, at 2:27 PM, Abhijit Tikekar <abhijittikekar () gmail com<mailto:abhijittikekar () gmail com>> wrote:

I am a new snort user. Current implementation is snort-2.9.6.1 on CentOS 6.4 along with barnyard and snorby. My 
question is regarding the ruleset which I downloaded as a registered user.

Many of the rule files are empty, e.g, icmp.rules, or ddos.rules. Are these supposed to be empty?

Yes, these rules have transitioned to new categories per the policy realignment.

The reason I am asking is because when I used pytbull against snort to test, snort.log never recorded anything.
When I add a test icmp rule(alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;), then only that is 
captured by snort, nothing else.

How much tuning should I do to my default snort ruleset before noticing any alerts by scans from pytbull etc?
Is the default snort implementation capable of detecting such attacks? I enabled all options in pytbull while scanning, 
e.g. Fragmented packets, brute force, shellcodes, DOS etc..

Ruleset used: snortrules-snapshot-2961.tar.gz


having not tested pytbull myself successfully, id say take a look at the Snort faq.

https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

default snort rules Abhijit Tikekar (Jul 08)
- Snort additional-downloads dead link Guillaume Daleux (Jul 08)
  - Re: Snort additional-downloads dead link Jaime Nebrera (Jul 08)
    - Re: Snort additional-downloads dead link Guillaume Daleux (Jul 08)
    - Re: Snort additional-downloads dead link Juan Jesus Prieto (Jul 08)
  - Re: Snort additional-downloads dead link Jason (Jul 08)
- Re: default snort rules waldo kitty (Jul 08)
- Re: default snort rules Joel Esler (jesler) (Jul 08)
  - Re: default snort rules Abhijit Tikekar (Jul 10)
    - Re: default snort rules Jeremy Hoel (Jul 10)
    - Re: default snort rules Abhijit Tikekar (Jul 10)
    - Re: default snort rules Jeremy Hoel (Jul 10)
    - Re: default snort rules Abhijit Tikekar (Jul 10)
    - Re: default snort rules Jeremy Hoel (Jul 10)
    - Re: default snort rules Abhijit Tikekar (Jul 10)
    - Re: default snort rules Abhijit Tikekar (Jul 15)