Recomended Categories?

killmasta93

Hi
I was wondering currently for 2021 what Categories should i be running?

Currently I have IPS Policy as balanced
in the ET open rules

Snort GPLv2 Community Rules (Talos certified)
     emerging-botcc.portgrouped.rules
emerging-botcc.rules
emerging-compromised.rules
emerging-exploit.rules
emerging-imap.rules
emerging-smtp.rules
emerging-tor.rules
 	emerging-trojan.rules
emerging-web_client.rules
emerging-web_server.rules
emerging-web_specific_apps.rules
emerging-malware.rules

But on Snort Text rules, Snort SO rules and Snort OPENAPPI rules i havent checked mark anything yet

and my supresslist

suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 653
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 8375
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 12286
suppress gen_id 1, sig_id 15147
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 15362
suppress gen_id 1, sig_id 16313
suppress gen_id 1, sig_id 16482
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 23098
suppress gen_id 1, sig_id 23256
suppress gen_id 1, sig_id 24889
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2000419
suppress gen_id 1, sig_id 2003195
suppress gen_id 1, sig_id 2007727
suppress gen_id 1, sig_id 2008120
suppress gen_id 1, sig_id 2008578
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 2010525
suppress gen_id 1, sig_id 2010935
suppress gen_id 1, sig_id 2010937
suppress gen_id 1, sig_id 2011716
suppress gen_id 1, sig_id 2012078
suppress gen_id 1, sig_id 2012086
suppress gen_id 1, sig_id 2012087
suppress gen_id 1, sig_id 2012088
suppress gen_id 1, sig_id 2012089
suppress gen_id 1, sig_id 2012141
suppress gen_id 1, sig_id 2012252
suppress gen_id 1, sig_id 2012758
suppress gen_id 1, sig_id 2013028
suppress gen_id 1, sig_id 2013031
suppress gen_id 1, sig_id 2013222
suppress gen_id 1, sig_id 2013414
suppress gen_id 1, sig_id 2013504
suppress gen_id 1, sig_id 2014472
suppress gen_id 1, sig_id 2014518
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2014726
suppress gen_id 1, sig_id 2014734
suppress gen_id 1, sig_id 2014819
suppress gen_id 1, sig_id 2015561
suppress gen_id 1, sig_id 2015744
suppress gen_id 1, sig_id 2016360
suppress gen_id 1, sig_id 2016877
suppress gen_id 1, sig_id 2017364
suppress gen_id 1, sig_id 2018959
suppress gen_id 1, sig_id 2019416
suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2100368
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2103192
suppress gen_id 1, sig_id 2402000
suppress gen_id 1, sig_id 2403344
suppress gen_id 1, sig_id 2406003
suppress gen_id 1, sig_id 2406067
suppress gen_id 1, sig_id 2406069
suppress gen_id 1, sig_id 2406424
suppress gen_id 1, sig_id 2500050
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 2520199
suppress gen_id 1, sig_id 2520205
suppress gen_id 1, sig_id 100000230
suppress gen_id 3, sig_id 14772
suppress gen_id 3, sig_id 19187
suppress gen_id 3, sig_id 21355
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 7
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 119, sig_id 33
suppress gen_id 120, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 4
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 9
suppress gen_id 120, sig_id 10
suppress gen_id 122, sig_id 19
suppress gen_id 122, sig_id 21
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 23
suppress gen_id 122, sig_id 26
suppress gen_id 123, sig_id 10
suppress gen_id 124, sig_id 3
suppress gen_id 125, sig_id 2
suppress gen_id 137, sig_id 1
suppress gen_id 138, sig_id 2
suppress gen_id 138, sig_id 3
suppress gen_id 138, sig_id 4
suppress gen_id 138, sig_id 5
suppress gen_id 138, sig_id 6
suppress gen_id 140, sig_id 27
suppress gen_id 141, sig_id 1
#(http_inspect) PROTOCOL-OTHER HTTP server response before client request 
suppress gen_id 120, sig_id 18, track by_dst, ip 181.129.7.172

#(portscan) TCP Portsweep
suppress gen_id 122, sig_id 3

#(http_inspect) PROTOCOL-OTHER HTTP server response before client request 
suppress gen_id 120, sig_id 18

#(portscan) TCP Distributed Portscan
suppress gen_id 122, sig_id 4

#(http_inspect) INVALID CHUNK SIZE OR CHUNK SIZE FOLLOWED BY JUNK CHARACTERS
suppress gen_id 120, sig_id 28

#(portscan) TCP Filtered Distributed Portscan
suppress gen_id 122, sig_id 8

#(portscan) TCP Filtered Portsweep
suppress gen_id 122, sig_id 7

#ET SCAN MS Terminal Server Traffic on Non-standard Port
suppress gen_id 1, sig_id 2023753, track by_src, ip 181.57.194.178

#ET SCAN MS Terminal Server Traffic on Non-standard Port
suppress gen_id 1, sig_id 2023753, track by_src, ip 190.144.88.245

#ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)
suppress gen_id 1, sig_id 2018430

#ET POLICY Vulnerable Java Version 1.7.x Detected
suppress gen_id 1, sig_id 2014297

#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3

#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4

#(portscan) UDP Portscan
suppress gen_id 122, sig_id 17, track by_src, ip 181.57.142.5

#ET SCAN MS Terminal Server Traffic on Non-standard Port
suppress gen_id 1, sig_id 2023753, track by_src, ip 181.57.142.5

#(portscan) UDP Portscan
suppress gen_id 122, sig_id 17, track by_src, ip 181.129.7.172

Thank you

bmeeks

The choice of categories is definitely an admin choice/preference thing. There is no hard right or wrong choice. However, there are some general guidelines.

First, choosing to use an IPS Policy is fantastic and actually is what I recommend most strongly to users. I usually suggest folks start with the "Connectivity" policy, and after they gain some experience with how that works in their network environment, maybe then move up to "Balanced". I never recommend going higher than "Balanced" unless you are protecting military secrets or something like the truth about UFOs ... .

Also, when enabling the option to use IPS Policy, that will automatically disable manual selection of other Snort categories as the policy choice is doing that for you. So the SO (shared object) rules will be grayed-out.

Using some of the ET rules is not a bad idea, especially if your box has some CPU and RAM resources to spare. Remember, though, that more enabled rules means more CPU and RAM utilization.

One thing I often remind users of is that you don't usually need most of the server rules categories unless you are running that type of server (smtp, web, DNS, etc.) and have it exposed to the Internet. For most networks, and especially home networks, that is not the case. So choose from the "server" rules carefully and make sure you actually have those kinds of attack surfaces on your local network before you enable those rules. Why waste those precious CPU and RAM resources on rules that protect attack surfaces that are not actually present in your network?

As for OpenAppID, that is really more useful in a business or enterprise network where you are trying to monitor compliance with workplace policies. For example, maybe as an employer you want to restrict users from social media sites during work hours, or not have everyone streaming music and chewing up the company's Internet bandwidth. In a typical home network, the OpenAppID rules are not very useful in my opinion. After all, just about everyone uses social media and streaming from their home network. So why have rules alerting on that traffic and potentially blocking it?

killmasta93

@bmeeks
Thank you so much for the reply,
so forgot to mention currently running webserver, with email server zimbra,
as for OpenAppID rules your right not worth it, normally the idea is to keep secure the ports i have exposed to the internet. As for the ET rules what setup do you have taking in consideration that you might not have webserver or email server.
And as for the snort text rules didnt really find any documentation of this

Thank you

bmeeks

@killmasta93 said in Recomended Categories?:

@bmeeks
Thank you so much for the reply,
so forgot to mention currently running webserver, with email server zimbra,
as for OpenAppID rules your right not worth it, normally the idea is to keep secure the ports i have exposed to the internet. As for the ET rules what setup do you have taking in consideration that you might not have webserver or email server.
And as for the snort text rules didnt really find any documentation of this

Thank you

The selections you showed in your first post match up with what I would choose from the ET set. There is actually quite a bit of duplication between the Snort and ET rules, and that just logically follows, since the threats themselves are what the rules are targeting. Thus the detection mechanisms have to be the same. Yeah, it's possible one set of rules targets some obscure threat another does not, but all the popular threats are handled by both sets of rules.