Sn0rt: what are 'good' rulesets to enable in the category tab? pls help.
-
currently i run 2.0.1-RELEASE (i386) - built on Tue Dec 13 13:35:17 EST 2011 - FreeBSD 8.1-RELEASE-p6 …with an DMZ that houses my webservers and exchange edge server(s) and on separate network i have my non-critical machines. i would like to know what the most common rule sets that you should enable for sn0rt.
right now i do not have and shared rule sets enabled, and a few non-shared rule sets enabled. i still get bad traffic caught, but i would like to be a bit more secure than what i already am.
any suggestions on which rule sets that i need to enable. i have already defined my port numbers for the services that i use.
help would be MUCH appreciated. thank you in advance. -
Different for everybody. Depends on what you are trying to protect.
Here is a good starter http://doc.emergingthreats.net/bin/view/Main/WhatEveryIDSUserShouldDo
-
already read that, and have all that covered. i am specifically looking for the sn0rt rule set options to enable.
-
- Use emerging threats rules and VRT:
web-client (VRT, ET) - ET: TROJAN, MALWARE, USER_AGENTS, WORM, WEB_SERVER, ATTACK_RESPONSE, CURRENT_EVENTS, RBN, COMPROMISED, CIARMY, BOTCNC, WEB_CLIENT etc
- VRT: WEB_CLIENT, SPECIFIC_THREATS, WEB-MISC, WEB-IIS if running IIS, SQL rules if have database, botnet-cnc, blacklist, etc
When snort updated on pfsense VRT are reorganising their rules so things like indicator-obfuscation, file-office, PDF etc all will need enabled but for now not available as PFSENSE currently just went into an unsupported snort version (2.9.0.5) but you will receive new rules for ET. Obviously these rules are dependant on what you are protecting but this would provide the basics for common attacks. instead of the CIARMY, RBN rulesets you could use pfblocker (and block countries you don't think would be accessing your servers normally) and then use the LISTS to add these as text:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this is dsield, russian business network, botnet CnCs)
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
http://www.ciarmy.com/list/ci-badguys.txtBlock both inbound and out and set pfblocker to log. Using these you will block a lot of attacks and combined with geoblocking will also block a lot of malware related activity too without it even being able to connect to the suspicious IP. You could also look at threatstop for this but I think most of the IP addresses are duplicated as they get their botnet control server lists and things from shadowserver too.
I would also not enable blocking in snort till you see what would be blocked by mistake and supress it (unfortunately even though you can enabled/disable rules pfsense currently does not remember those changes after an update but I hope this would be sorted by a kind person who knows how :-D).
On your webservers I would also consider (depending on your webserver) looking into modsecurity (install it on the server and tune it) and ossec. Modsecurity is a web application firewall which can detect all sorts of web attacks and ossec monitors and correlates local log files to detect attacks and can then email you and block the host if need be.
Regards,
Kev - Use emerging threats rules and VRT:
-
thank you very much kev. that is very good information.
now to tweak everything. :)