Menu
▾
▴
Re: [Snort-inline-users] good rules
|
From: Will M. <wil...@gm...> - 2008-04-16 00:10:38
|
I think it is assumed rules will be tweaked for ones own environment. Rob, I think that you are kind of in a unique situation in that you are trying to protect the rest of the world from your network. Some things to stay away from... Anything with flowbits:noalert; you want to make sure you don't set to drop as a lot of these rules are used in protocol identification/behavior, and are later checked in a separate rule that does alert/drop. Ditch the replace ruleset. The problem with this is that now that you have pcre, uricontent, and other normalized data it is not safe to generate a ruleset that will replace the content matches in the rule. You might have a content match that is also used for protocol identification/behavior and the bad juju lives in the pcre and or uricontent portion of the rule. Maybe for Honeywall you leave this as an exercise for the user. Just a suggestion... Regards, Will On Tue, Apr 15, 2008 at 5:56 PM, Joel Esler <es...@gm...> wrote: > Afaik there are not a specific set of rules that are by default set to > drop. You'd need to do this using oinkmaster or something. As far as > rulesets, there a bunch out there! > > -- > Joel Esler > Sent from the iRoad. > > > > On Apr 15, 2008, at 6:48 PM, Robert Mcmillen <rv...@gm...> wrote: > > > Any issues with proper service operation due the change of all alert > > rules to drop? > > > > Do you exclude any rule files from snort_inline.conf or do you use > > every single snort rule converted to drop? > > > > Thank in advance, > > > > Rob > > > > > > On Apr 15, 2008, at 5:33 PM, xyon wrote: > > > >> I typically download the rules, then run oinkmaster configured with a > >> regex to prefix all rules with "drop: " instead of "alert: ". I then > >> run > >> snort (2.7.0) with the -Q switch. > >> > >> HTH > > > > --- > > ---------------------------------------------------------------------- > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Don't miss this year's exciting event. There's still time to save > > $100. > > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
