• Hi
    I was wondering currently for 2021 what Categories should i be running?

    Currently I have IPS Policy as balanced
    in the ET open rules

    Snort GPLv2 Community Rules (Talos certified)
         emerging-botcc.portgrouped.rules
    emerging-botcc.rules
    emerging-compromised.rules
    emerging-exploit.rules
    emerging-imap.rules
    emerging-smtp.rules
    emerging-tor.rules
     	emerging-trojan.rules
    emerging-web_client.rules
    emerging-web_server.rules
    emerging-web_specific_apps.rules
    emerging-malware.rules
    

    But on Snort Text rules, Snort SO rules and Snort OPENAPPI rules i havent checked mark anything yet

    and my supresslist

    suppress gen_id 1, sig_id 536
    suppress gen_id 1, sig_id 648
    suppress gen_id 1, sig_id 653
    suppress gen_id 1, sig_id 1390
    suppress gen_id 1, sig_id 2452
    suppress gen_id 1, sig_id 8375
    suppress gen_id 1, sig_id 11192
    suppress gen_id 1, sig_id 12286
    suppress gen_id 1, sig_id 15147
    suppress gen_id 1, sig_id 15306
    suppress gen_id 1, sig_id 15362
    suppress gen_id 1, sig_id 16313
    suppress gen_id 1, sig_id 16482
    suppress gen_id 1, sig_id 17458
    suppress gen_id 1, sig_id 20583
    suppress gen_id 1, sig_id 23098
    suppress gen_id 1, sig_id 23256
    suppress gen_id 1, sig_id 24889
    suppress gen_id 1, sig_id 2000334
    suppress gen_id 1, sig_id 2000419
    suppress gen_id 1, sig_id 2003195
    suppress gen_id 1, sig_id 2007727
    suppress gen_id 1, sig_id 2008120
    suppress gen_id 1, sig_id 2008578
    suppress gen_id 1, sig_id 2010516
    suppress gen_id 1, sig_id 2010525
    suppress gen_id 1, sig_id 2010935
    suppress gen_id 1, sig_id 2010937
    suppress gen_id 1, sig_id 2011716
    suppress gen_id 1, sig_id 2012078
    suppress gen_id 1, sig_id 2012086
    suppress gen_id 1, sig_id 2012087
    suppress gen_id 1, sig_id 2012088
    suppress gen_id 1, sig_id 2012089
    suppress gen_id 1, sig_id 2012141
    suppress gen_id 1, sig_id 2012252
    suppress gen_id 1, sig_id 2012758
    suppress gen_id 1, sig_id 2013028
    suppress gen_id 1, sig_id 2013031
    suppress gen_id 1, sig_id 2013222
    suppress gen_id 1, sig_id 2013414
    suppress gen_id 1, sig_id 2013504
    suppress gen_id 1, sig_id 2014472
    suppress gen_id 1, sig_id 2014518
    suppress gen_id 1, sig_id 2014520
    suppress gen_id 1, sig_id 2014726
    suppress gen_id 1, sig_id 2014734
    suppress gen_id 1, sig_id 2014819
    suppress gen_id 1, sig_id 2015561
    suppress gen_id 1, sig_id 2015744
    suppress gen_id 1, sig_id 2016360
    suppress gen_id 1, sig_id 2016877
    suppress gen_id 1, sig_id 2017364
    suppress gen_id 1, sig_id 2018959
    suppress gen_id 1, sig_id 2019416
    suppress gen_id 1, sig_id 2100366
    suppress gen_id 1, sig_id 2100368
    suppress gen_id 1, sig_id 2100651
    suppress gen_id 1, sig_id 2101390
    suppress gen_id 1, sig_id 2101424
    suppress gen_id 1, sig_id 2102314
    suppress gen_id 1, sig_id 2103134
    suppress gen_id 1, sig_id 2103192
    suppress gen_id 1, sig_id 2402000
    suppress gen_id 1, sig_id 2403344
    suppress gen_id 1, sig_id 2406003
    suppress gen_id 1, sig_id 2406067
    suppress gen_id 1, sig_id 2406069
    suppress gen_id 1, sig_id 2406424
    suppress gen_id 1, sig_id 2500050
    suppress gen_id 1, sig_id 2500056
    suppress gen_id 1, sig_id 2520199
    suppress gen_id 1, sig_id 2520205
    suppress gen_id 1, sig_id 100000230
    suppress gen_id 3, sig_id 14772
    suppress gen_id 3, sig_id 19187
    suppress gen_id 3, sig_id 21355
    suppress gen_id 119, sig_id 2
    suppress gen_id 119, sig_id 4
    suppress gen_id 119, sig_id 7
    suppress gen_id 119, sig_id 14
    suppress gen_id 119, sig_id 31
    suppress gen_id 119, sig_id 32
    suppress gen_id 119, sig_id 33
    suppress gen_id 120, sig_id 2
    suppress gen_id 120, sig_id 3
    suppress gen_id 120, sig_id 4
    suppress gen_id 120, sig_id 6
    suppress gen_id 120, sig_id 8
    suppress gen_id 120, sig_id 9
    suppress gen_id 120, sig_id 10
    suppress gen_id 122, sig_id 19
    suppress gen_id 122, sig_id 21
    suppress gen_id 122, sig_id 22
    suppress gen_id 122, sig_id 23
    suppress gen_id 122, sig_id 26
    suppress gen_id 123, sig_id 10
    suppress gen_id 124, sig_id 3
    suppress gen_id 125, sig_id 2
    suppress gen_id 137, sig_id 1
    suppress gen_id 138, sig_id 2
    suppress gen_id 138, sig_id 3
    suppress gen_id 138, sig_id 4
    suppress gen_id 138, sig_id 5
    suppress gen_id 138, sig_id 6
    suppress gen_id 140, sig_id 27
    suppress gen_id 141, sig_id 1
    #(http_inspect) PROTOCOL-OTHER HTTP server response before client request 
    suppress gen_id 120, sig_id 18, track by_dst, ip 181.129.7.172
    
    #(portscan) TCP Portsweep
    suppress gen_id 122, sig_id 3
    
    #(http_inspect) PROTOCOL-OTHER HTTP server response before client request 
    suppress gen_id 120, sig_id 18
    
    #(portscan) TCP Distributed Portscan
    suppress gen_id 122, sig_id 4
    
    #(http_inspect) INVALID CHUNK SIZE OR CHUNK SIZE FOLLOWED BY JUNK CHARACTERS
    suppress gen_id 120, sig_id 28
    
    #(portscan) TCP Filtered Distributed Portscan
    suppress gen_id 122, sig_id 8
    
    #(portscan) TCP Filtered Portsweep
    suppress gen_id 122, sig_id 7
    
    #ET SCAN MS Terminal Server Traffic on Non-standard Port
    suppress gen_id 1, sig_id 2023753, track by_src, ip 181.57.194.178
    
    #ET SCAN MS Terminal Server Traffic on Non-standard Port
    suppress gen_id 1, sig_id 2023753, track by_src, ip 190.144.88.245
    
    #ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)
    suppress gen_id 1, sig_id 2018430
    
    #ET POLICY Vulnerable Java Version 1.7.x Detected
    suppress gen_id 1, sig_id 2014297
    
    #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120, sig_id 3
    
    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4
    
    #(portscan) UDP Portscan
    suppress gen_id 122, sig_id 17, track by_src, ip 181.57.142.5
    
    #ET SCAN MS Terminal Server Traffic on Non-standard Port
    suppress gen_id 1, sig_id 2023753, track by_src, ip 181.57.142.5
    
    #(portscan) UDP Portscan
    suppress gen_id 122, sig_id 17, track by_src, ip 181.129.7.172
    

    Thank you


  • The choice of categories is definitely an admin choice/preference thing. There is no hard right or wrong choice. However, there are some general guidelines.

    First, choosing to use an IPS Policy is fantastic and actually is what I recommend most strongly to users. I usually suggest folks start with the "Connectivity" policy, and after they gain some experience with how that works in their network environment, maybe then move up to "Balanced". I never recommend going higher than "Balanced" unless you are protecting military secrets or something like the truth about UFOs ... 😁.

    Also, when enabling the option to use IPS Policy, that will automatically disable manual selection of other Snort categories as the policy choice is doing that for you. So the SO (shared object) rules will be grayed-out.

    Using some of the ET rules is not a bad idea, especially if your box has some CPU and RAM resources to spare. Remember, though, that more enabled rules means more CPU and RAM utilization.

    One thing I often remind users of is that you don't usually need most of the server rules categories unless you are running that type of server (smtp, web, DNS, etc.) and have it exposed to the Internet. For most networks, and especially home networks, that is not the case. So choose from the "server" rules carefully and make sure you actually have those kinds of attack surfaces on your local network before you enable those rules. Why waste those precious CPU and RAM resources on rules that protect attack surfaces that are not actually present in your network?

    As for OpenAppID, that is really more useful in a business or enterprise network where you are trying to monitor compliance with workplace policies. For example, maybe as an employer you want to restrict users from social media sites during work hours, or not have everyone streaming music and chewing up the company's Internet bandwidth. In a typical home network, the OpenAppID rules are not very useful in my opinion. After all, just about everyone uses social media and streaming from their home network. So why have rules alerting on that traffic and potentially blocking it?


  • @bmeeks
    Thank you so much for the reply,
    so forgot to mention currently running webserver, with email server zimbra,
    as for OpenAppID rules your right not worth it, normally the idea is to keep secure the ports i have exposed to the internet. As for the ET rules what setup do you have taking in consideration that you might not have webserver or email server.
    And as for the snort text rules didnt really find any documentation of this

    Thank you


  • @killmasta93 said in Recomended Categories?:

    @bmeeks
    Thank you so much for the reply,
    so forgot to mention currently running webserver, with email server zimbra,
    as for OpenAppID rules your right not worth it, normally the idea is to keep secure the ports i have exposed to the internet. As for the ET rules what setup do you have taking in consideration that you might not have webserver or email server.
    And as for the snort text rules didnt really find any documentation of this

    Thank you

    The selections you showed in your first post match up with what I would choose from the ET set. There is actually quite a bit of duplication between the Snort and ET rules, and that just logically follows, since the threats themselves are what the rules are targeting. Thus the detection mechanisms have to be the same. Yeah, it's possible one set of rules targets some obscure threat another does not, but all the popular threats are handled by both sets of rules.