default snort rules

[Abhijit Tikekar <abhijittikekar () gmail com>]

Hi,

I am a new snort user. Current implementation is snort-2.9.6.1 on CentOS
6.4 along with barnyard and snorby. My question is regarding the ruleset
which I downloaded as a registered user.

Many of the rule files are empty, e.g, icmp.rules, or ddos.rules. Are these
supposed to be empty?

The reason I am asking is because when I used pytbull against snort to
test, snort.log never recorded anything.
When I add a test icmp rule(alert icmp any any -> any any (msg:"ICMP
Packet"; sid:477; rev:3;), then only that is captured by snort, nothing
else.

How much tuning should I do to my default snort ruleset before noticing any
alerts by scans from pytbull etc?
Is the default snort implementation capable of detecting such attacks? I
enabled all options in pytbull while scanning, e.g. Fragmented packets,
brute force, shellcodes, DOS etc..

Ruleset used: *snortrules-snapshot-2961.tar.gz*

Please advise.

Thanks,

Abhi

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!