Snort rules
-
hey everyone…i finally got snort going....now i'm just overwhelmed....
theres like.....2000 rules it seems and i have no idea how to set it up in such a way that it might be helpful.
basicly i'm on a small network, i DO use bit torrent so i don't want it yelling at me about that but i don't use any other p2p aps...i do use aim, irc. telnet, msn and yahoo but nothing else in the im arena...
i do a lot of webbrowsingi basicly want to set it up to ignore all those things but to warn me about other harmful effects....i did search the forum and didn't see a guide...if anyone could point me the right way i'd be greatful
(i tried the snort forums but it won't let me access them even though i DO have a valid oinkcode and what not....i guess you have to pay for access there)
-
Usually, people choose the rules they think are necessary. Some rules do not apply for you, e.g. you don't need the SQL rules if you have no open ports for an SQL server. Or, if you have no webserver running, you do not need these rules.
The best to set it up is to turn on the rules you want (for example webclient) and run it for a month or so. Besides, I would start by turning categories on and off and not go deep into the rules part. If you are sure that you do only have the alerts that you expect, you can turn blocking on and Snort will automatically block all IP's that run an attack.
-
yah, that's what i thought….i guess what i really need is a good resource that explains what each rule is for....i guess there's always google, i was just hoping there was a wiki or a guide somewhere for beginners..thanks for the help though, i totally get what you're saying