Re snort plus Ossetia

["Don M." <djmurd () cox net>]

On the question of top snort itd's... General decision making is a thought process tuned to your org. For me, 
personally, I'd do something like this:

First, make decisions and enable rules that represent your environment.
Second, look for any rules that relate to outbound command and control.
Third, there are rules that detect remote code execution payloads.
Fourth, there are a few uDP based single packet kills.
Fifth, I block ICMP at the border, so those rules inbound would never trigger (I hope....).
Sixth,I would want syn + ack packets for 3389, 22, 23, exiting my server network because that indicates the start of a 
system responding to remote access (fin+ ask would be the natural end, normally)..rule is directional.

Hopefully you get the idea here. I am sure that some would change the order, or emphasize one topic for another, ...but 
the point is that intrusion detection works better when you establish priorities and know your environment.
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!