Recomended Categories?
-
Hi
I was wondering currently for 2021 what Categories should i be running?Currently I have IPS Policy as balanced
in the ET open rulesSnort GPLv2 Community Rules (Talos certified) emerging-botcc.portgrouped.rules emerging-botcc.rules emerging-compromised.rules emerging-exploit.rules emerging-imap.rules emerging-smtp.rules emerging-tor.rules emerging-trojan.rules emerging-web_client.rules emerging-web_server.rules emerging-web_specific_apps.rules emerging-malware.rules
But on Snort Text rules, Snort SO rules and Snort OPENAPPI rules i havent checked mark anything yet
and my supresslist
suppress gen_id 1, sig_id 536 suppress gen_id 1, sig_id 648 suppress gen_id 1, sig_id 653 suppress gen_id 1, sig_id 1390 suppress gen_id 1, sig_id 2452 suppress gen_id 1, sig_id 8375 suppress gen_id 1, sig_id 11192 suppress gen_id 1, sig_id 12286 suppress gen_id 1, sig_id 15147 suppress gen_id 1, sig_id 15306 suppress gen_id 1, sig_id 15362 suppress gen_id 1, sig_id 16313 suppress gen_id 1, sig_id 16482 suppress gen_id 1, sig_id 17458 suppress gen_id 1, sig_id 20583 suppress gen_id 1, sig_id 23098 suppress gen_id 1, sig_id 23256 suppress gen_id 1, sig_id 24889 suppress gen_id 1, sig_id 2000334 suppress gen_id 1, sig_id 2000419 suppress gen_id 1, sig_id 2003195 suppress gen_id 1, sig_id 2007727 suppress gen_id 1, sig_id 2008120 suppress gen_id 1, sig_id 2008578 suppress gen_id 1, sig_id 2010516 suppress gen_id 1, sig_id 2010525 suppress gen_id 1, sig_id 2010935 suppress gen_id 1, sig_id 2010937 suppress gen_id 1, sig_id 2011716 suppress gen_id 1, sig_id 2012078 suppress gen_id 1, sig_id 2012086 suppress gen_id 1, sig_id 2012087 suppress gen_id 1, sig_id 2012088 suppress gen_id 1, sig_id 2012089 suppress gen_id 1, sig_id 2012141 suppress gen_id 1, sig_id 2012252 suppress gen_id 1, sig_id 2012758 suppress gen_id 1, sig_id 2013028 suppress gen_id 1, sig_id 2013031 suppress gen_id 1, sig_id 2013222 suppress gen_id 1, sig_id 2013414 suppress gen_id 1, sig_id 2013504 suppress gen_id 1, sig_id 2014472 suppress gen_id 1, sig_id 2014518 suppress gen_id 1, sig_id 2014520 suppress gen_id 1, sig_id 2014726 suppress gen_id 1, sig_id 2014734 suppress gen_id 1, sig_id 2014819 suppress gen_id 1, sig_id 2015561 suppress gen_id 1, sig_id 2015744 suppress gen_id 1, sig_id 2016360 suppress gen_id 1, sig_id 2016877 suppress gen_id 1, sig_id 2017364 suppress gen_id 1, sig_id 2018959 suppress gen_id 1, sig_id 2019416 suppress gen_id 1, sig_id 2100366 suppress gen_id 1, sig_id 2100368 suppress gen_id 1, sig_id 2100651 suppress gen_id 1, sig_id 2101390 suppress gen_id 1, sig_id 2101424 suppress gen_id 1, sig_id 2102314 suppress gen_id 1, sig_id 2103134 suppress gen_id 1, sig_id 2103192 suppress gen_id 1, sig_id 2402000 suppress gen_id 1, sig_id 2403344 suppress gen_id 1, sig_id 2406003 suppress gen_id 1, sig_id 2406067 suppress gen_id 1, sig_id 2406069 suppress gen_id 1, sig_id 2406424 suppress gen_id 1, sig_id 2500050 suppress gen_id 1, sig_id 2500056 suppress gen_id 1, sig_id 2520199 suppress gen_id 1, sig_id 2520205 suppress gen_id 1, sig_id 100000230 suppress gen_id 3, sig_id 14772 suppress gen_id 3, sig_id 19187 suppress gen_id 3, sig_id 21355 suppress gen_id 119, sig_id 2 suppress gen_id 119, sig_id 4 suppress gen_id 119, sig_id 7 suppress gen_id 119, sig_id 14 suppress gen_id 119, sig_id 31 suppress gen_id 119, sig_id 32 suppress gen_id 119, sig_id 33 suppress gen_id 120, sig_id 2 suppress gen_id 120, sig_id 3 suppress gen_id 120, sig_id 4 suppress gen_id 120, sig_id 6 suppress gen_id 120, sig_id 8 suppress gen_id 120, sig_id 9 suppress gen_id 120, sig_id 10 suppress gen_id 122, sig_id 19 suppress gen_id 122, sig_id 21 suppress gen_id 122, sig_id 22 suppress gen_id 122, sig_id 23 suppress gen_id 122, sig_id 26 suppress gen_id 123, sig_id 10 suppress gen_id 124, sig_id 3 suppress gen_id 125, sig_id 2 suppress gen_id 137, sig_id 1 suppress gen_id 138, sig_id 2 suppress gen_id 138, sig_id 3 suppress gen_id 138, sig_id 4 suppress gen_id 138, sig_id 5 suppress gen_id 138, sig_id 6 suppress gen_id 140, sig_id 27 suppress gen_id 141, sig_id 1 #(http_inspect) PROTOCOL-OTHER HTTP server response before client request suppress gen_id 120, sig_id 18, track by_dst, ip 181.129.7.172 #(portscan) TCP Portsweep suppress gen_id 122, sig_id 3 #(http_inspect) PROTOCOL-OTHER HTTP server response before client request suppress gen_id 120, sig_id 18 #(portscan) TCP Distributed Portscan suppress gen_id 122, sig_id 4 #(http_inspect) INVALID CHUNK SIZE OR CHUNK SIZE FOLLOWED BY JUNK CHARACTERS suppress gen_id 120, sig_id 28 #(portscan) TCP Filtered Distributed Portscan suppress gen_id 122, sig_id 8 #(portscan) TCP Filtered Portsweep suppress gen_id 122, sig_id 7 #ET SCAN MS Terminal Server Traffic on Non-standard Port suppress gen_id 1, sig_id 2023753, track by_src, ip 181.57.194.178 #ET SCAN MS Terminal Server Traffic on Non-standard Port suppress gen_id 1, sig_id 2023753, track by_src, ip 190.144.88.245 #ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com) suppress gen_id 1, sig_id 2018430 #ET POLICY Vulnerable Java Version 1.7.x Detected suppress gen_id 1, sig_id 2014297 #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE suppress gen_id 120, sig_id 3 #(http_inspect) BARE BYTE UNICODE ENCODING suppress gen_id 119, sig_id 4 #(portscan) UDP Portscan suppress gen_id 122, sig_id 17, track by_src, ip 181.57.142.5 #ET SCAN MS Terminal Server Traffic on Non-standard Port suppress gen_id 1, sig_id 2023753, track by_src, ip 181.57.142.5 #(portscan) UDP Portscan suppress gen_id 122, sig_id 17, track by_src, ip 181.129.7.172
Thank you
-
The choice of categories is definitely an admin choice/preference thing. There is no hard right or wrong choice. However, there are some general guidelines.
First, choosing to use an IPS Policy is fantastic and actually is what I recommend most strongly to users. I usually suggest folks start with the "Connectivity" policy, and after they gain some experience with how that works in their network environment, maybe then move up to "Balanced". I never recommend going higher than "Balanced" unless you are protecting military secrets or something like the truth about UFOs ... .
Also, when enabling the option to use IPS Policy, that will automatically disable manual selection of other Snort categories as the policy choice is doing that for you. So the SO (shared object) rules will be grayed-out.
Using some of the ET rules is not a bad idea, especially if your box has some CPU and RAM resources to spare. Remember, though, that more enabled rules means more CPU and RAM utilization.
One thing I often remind users of is that you don't usually need most of the server rules categories unless you are running that type of server (smtp, web, DNS, etc.) and have it exposed to the Internet. For most networks, and especially home networks, that is not the case. So choose from the "server" rules carefully and make sure you actually have those kinds of attack surfaces on your local network before you enable those rules. Why waste those precious CPU and RAM resources on rules that protect attack surfaces that are not actually present in your network?
As for OpenAppID, that is really more useful in a business or enterprise network where you are trying to monitor compliance with workplace policies. For example, maybe as an employer you want to restrict users from social media sites during work hours, or not have everyone streaming music and chewing up the company's Internet bandwidth. In a typical home network, the OpenAppID rules are not very useful in my opinion. After all, just about everyone uses social media and streaming from their home network. So why have rules alerting on that traffic and potentially blocking it?
-
@bmeeks
Thank you so much for the reply,
so forgot to mention currently running webserver, with email server zimbra,
as for OpenAppID rules your right not worth it, normally the idea is to keep secure the ports i have exposed to the internet. As for the ET rules what setup do you have taking in consideration that you might not have webserver or email server.
And as for the snort text rules didnt really find any documentation of thisThank you
-
@killmasta93 said in Recomended Categories?:
@bmeeks
Thank you so much for the reply,
so forgot to mention currently running webserver, with email server zimbra,
as for OpenAppID rules your right not worth it, normally the idea is to keep secure the ports i have exposed to the internet. As for the ET rules what setup do you have taking in consideration that you might not have webserver or email server.
And as for the snort text rules didnt really find any documentation of thisThank you
The selections you showed in your first post match up with what I would choose from the ET set. There is actually quite a bit of duplication between the Snort and ET rules, and that just logically follows, since the threats themselves are what the rules are targeting. Thus the detection mechanisms have to be the same. Yeah, it's possible one set of rules targets some obscure threat another does not, but all the popular threats are handled by both sets of rules.