Snort mailing list archives
Re: rules set
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 25 Nov 2002 17:22:15 -0800 (PST)
[I'm on short sleep and a bit testy, so I'm apologizing if I get a bit terse. ;-) ] On Mon, 25 Nov 2002, Don wrote:
Is there anywhere that has a rules set specifically tuned to O/S or target criteria, for instance, if i have ONLY windows and SQL, i dont need to load
[...snip...] I'm sorry, but there isn't. You'll have to roll your own. <mini-rant> This is a _HORRIBLE_ idea. What you have on your network is not the same that's on Marty's net, Erek's net, Brian's net, etc... Tuning of your ID (snort, NetRanger, RealSecure, etc...) should be done by you (the IDS operator) and not someone who's unfamiliar with your netowrk./ It takes about 10 days to cut out about 70% of the sigs that aren't useful in your network. Start with all the default rule and log the packets in binary format. As you get alerts, look at the binary logs and check the packet contents. The packet contents should be enough for you to decide if the alert was a false positive or not. If it's not valid, and you're not concerned about it, write a pass rule, use a BPF filter [0] or disable the rule. If your issue is too much traffic, then use a BPF filter to just look at a small subset of your network (/29, /28, /27, etc...) </mini-rant> One thing that I've noticed is that folks look at snort and it's config files and get a little intimidated by the configuration file and/or the rules. It's really not that complex, it's just a lot of data. :) Anyway, it's not all bad, just a bit of stuff to go over. Hope that helps or gives you some insight! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net [0] http://www.theadamsfamily.net/~erek/snort/ignore.txt ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules set Don (Nov 25)
- Re: rules set Erek Adams (Nov 25)