Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rules set

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 25 Nov 2002 17:22:15 -0800 (PST)
[I'm on short sleep and a bit testy, so I'm apologizing if I get a bit
terse.  ;-) ]


On Mon, 25 Nov 2002, Don wrote:


Is there anywhere that has a rules set specifically tuned to O/S or target
criteria, for instance, if i have ONLY windows and SQL, i dont need to load


[...snip...]

I'm sorry, but there isn't.  You'll have to roll your own.


<mini-rant> This is a _HORRIBLE_ idea.  What you have on your network is
not the same that's on Marty's net, Erek's net, Brian's net, etc...
Tuning of your ID (snort, NetRanger, RealSecure, etc...) should be done by
you (the IDS operator) and not someone who's unfamiliar with your
netowrk./ It takes about 10 days to cut out about 70% of the sigs that
aren't useful in your network.  Start with all the default rule and log
the packets in binary format.  As you get alerts, look at the binary logs
and check the packet contents.  The packet contents should be enough for
you to decide if the alert was a false positive or not.  If it's not
valid, and you're not concerned about it, write a pass rule, use a BPF
filter [0] or disable the rule.

If your issue is too much traffic, then use a BPF filter to just look at a
small subset of your network (/29, /28, /27, etc...)
</mini-rant>

One thing that I've noticed is that folks look at snort and it's config
files and get a little intimidated by the configuration file and/or the
rules.  It's really not that complex, it's just a lot of data.  :)

Anyway, it's not all bad, just a bit of stuff to go over.

Hope that helps or gives you some insight!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


[0]     http://www.theadamsfamily.net/~erek/snort/ignore.txt



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: