Snort mailing list archives
Re: Filtering the Snort Rule Set for Firewall Blocks
From: Frank Knobbe <frank () knobbe us>
Date: Sat, 29 Aug 2009 16:05:49 -0500
On Fri, 2009-08-28 at 13:54 -0700, CunningPike wrote:
We ran our sensor for quite a while before we started using snortsam so we could get a feel for which rules would be good block candidates - I would advise you to do the same. The Emerging Threats project (http://www.emergingthreats.net/) has a couple of block rulesets that block known RBN hosts and so forth - they might be a good start for snortsam, but be aware that they are IP-based rules and can be quite processor intensive. You might find the IP blacklist beta code for snort of more interest in this area.
I never understood why IP based rules are required to block with Snortsam. If you know bad IP's already, block'em! Don't wait for the alert. Even written rules ready for Snortsam (fwsam option) should be reviewed. As CP said, run rules for a while and see if the create false positives. For example, 'content:"Useragent: Morfeus F Scanner"' has a 0 change of false positives, so it's safe to configure that with autoblock. 'content:"setup.php"' on the other hand may false occasionally, so it's probably not a good candidate. It really depends on the signature itself, your environment (only servers, or also users browsing out that can create alerts that may trigger, what type of servers, etc), and what level of risk in regards to false positives you want to take. I myself am cautious, so I only have a couple dozen sigs on auto-block. Our IDS console allows us to block when we determine it's a real attack. Your mileage may vary of course. IDS in general is not a configure-and-forget sorta thing, so don't assume you can just configure tons of sigs to auto-block and let is run unattended :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Filtering the Snort Rule Set for Firewall Blocks James Chase (Aug 28)
- Re: Filtering the Snort Rule Set for Firewall Blocks CunningPike (Aug 28)
- Re: Filtering the Snort Rule Set for Firewall Blocks Frank Knobbe (Aug 29)
- Re: Filtering the Snort Rule Set for Firewall Blocks CunningPike (Aug 28)