The basic answer is: What is on your network, what are you trying to catch, and what are you interested in? Start with Operating Systems. What OSes do you have? Turn those rules on. (netbios.rules, attack-response.rules, web-client.rules) What browsers (and versions) do you have, turn those rules on. What Programs do you use, turn those rules on. (Do you use AOL Instant Messenger?)
What are you trying to catch: Employees surfing porn? (porn.rules) Employees that have spyware? (spyware-put.rules) Employees that are running unauthorized programs? (policy.rules, chat.rules) Viruses? (specific-threats.rules, virus.rules, exploit.rules) Exploits? etc What are you interested in: More of the above, but these are more optional: policy.rules chat.rules You see my point. Don't turn everything on because that will only create more work than you need, only turn on what you intended to DO something with, tailored to your network. What is actionable? Go with that. J On Wed, Sep 30, 2009 at 10:18 AM, Ben Greenfield <[email protected]> wrote: > It certainly sounds like you are running snort inline. I recommend > tuning the snort.conf file to be a very accurate representation of the > network snort is seeing traffic for. Are you running snort on your > internal network or on your WAN connection? It sounds like you are > running snort on your WAN connection. I would only run rule > categories that relate to services you are actually running - if you > don't have any HTTP servers accepting connections where Snort can see > them, you don't need to run the HTTP rules, etc. > > On Wed, Sep 30, 2009 at 9:19 AM, Will Metcalf <[email protected]> > wrote: > > If you are running in passive mode this should not happen. If you are > > running inline then you should run with alert only rules until you can > > weed out false positives and then convert to drop rules one rule file > > at a time, or for certian types of events that you know you should > > never see in your environment. > > > > Regards, > > > > Will > > > > On Wed, Sep 30, 2009 at 2:18 AM, Thomas Fischer <[email protected]> > wrote: > >> So outside of enabling everything, which I can't seem to do as it is > >> seriously impairing my network access by slow load times, pictures not > >> showing up, IM disconnections, gaming issues. > >> Which package rules would you enable or disable to have a safe but > optimized > >> snort-ids probe? > >> Cheers > >> > >> -- > >> Thomas Fischer > >> email: [email protected] [email protected] twitter.com/FVT > >> fvter.wordpress.com > >> IM: gTalk:[email protected] <gtalk%[email protected]> > MSN:[email protected] <msn%[email protected]> > >> Y!:tvfischer_FR > >> PGP Key: > >> > https://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0x27FBA97646CF2077 > >> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > >> Sent from Crosne, France > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > >> > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
