Snort mailing list archives
Re: same question about snort rules
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 4 Aug 2011 13:27:02 -0400
On Aug 3, 2011, at 11:53 PM, Zhuxian wrote:
1. Does snort provide the test tools and test model to test these rules?
Snort is the way to make sure the rules are correct and Snort starts, if you are looking at how to test the rules themselves.
Or is there any suggested tools to test these rules?
If you are looking to test the detection the rules provide, you can look at tools like metasploit and other pen-testing tools. We use the same tools to test Snort and our rulesets (and a few more) that a lot of you use, so the results should be the same.
<snip>
2. Some rules are commented in rules file released by snort. Does this means these are the default rules setting for snort?
So, there are the connectivity over security (connectivity-ips), balanced (balanced-ips), and Security over connectivity (security-ips) policies. We have criteria (performance, detection, in the wild, etc) for what rules go into what policies. We are currently examining ways to expose that criteria to the end user. We have a method for how to do it, I just haven't had a chance to finish the project plan yet. :) The VRT makes this determination when we write the rule and then the determination is double checked when the rule is committed into the set. Then we have if the rule is "on" or "off" (not-commented out vs. commented out), this is also for performance, detection, in the wild, etc. And as I said, we are working on ways to expose this to the user. The policies override the default on/off. But the default on/off is there for people who do not use the pulledpork (and Sourcefire) features of those products to use one of the three policies. The three policies are a basis start point, then you tune from there.
Is their any references or guides for the customer to tune the rule set?
We don't have a formal written guide for people to tune the rule set for Snort. Might be a good idea. However, we are currently working on a project within the VRT to reorganize the entire ruleset into something that makes more sense for the end user and makes the ruleset easier to tune, both from a starting point, and from a continuation point (as rule updates are downloaded). This project plan I am currently working on, and we are going to be working on it through 2011 (it's a large change). I will keep the Snort community updated through blog posts on http://blog.snort.org as the project progresses. Joel ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- same question about snort rules Zhuxian (Aug 03)
- Re: same question about snort rules Jason Wallace (Aug 04)
- Re: some question about snort rules Zhuxian (Aug 17)
- Re: some question about snort rules Joel Esler (Aug 17)
- Re: some question about snort rules JJC (Aug 17)
- Re: some question about snort rules Zhuxian (Aug 17)
- Re: same question about snort rules Jason Wallace (Aug 04)
- Re: same question about snort rules Joel Esler (Aug 04)
- Re: same question about snort rules Will Metcalf (Aug 04)
- Re: same question about snort rules Joel Esler (Aug 04)
- Re: same question about snort rules rmkml (Aug 04)
- Re: same question about snort rules rmkml (Aug 04)
- Re: same question about snort rules Joel Esler (Aug 04)
- Re: same question about snort rules Will Metcalf (Aug 04)