Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort WAN Rules - Recommendation?

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      epionier
      last edited by

      Hello,

      I am quite new to IDS with Snort but I have it configured for WAN and enabled promiscuous mode for the WAN port.

      I enabled in general the rules:

      Snort VRT Rules
      Snort GPLv2 Community Rules
      Emerging Threats Open Rules
      Snort OpenAppID Detectors

      under "WAN Categories" I enabled the "Use IPS Policy" under "Snort VRT IPS Policy Selection" and set it to balanced.
      So far I do not have much "false positives" but I wonder if this selection is safe enough because with the "Use IPS Policy" all "Snort Text Rules" and "Snort SO Rules" are greyed out so I assume they are disabled (that`s what the description of "Use IPS Policy" says, too).

      I tried to disable the "Use IPS Policy" and checked ALL rules that pfSense offered me but this led to a lot of false positives so I reverted the option.

      My questions:

      1. Is it safe enough to just use the free "ET Open Rules" according to IPS policy?

      2. If not, which of the "Snort Text Rules" and "Snort SO Rules" are recommended?

      3. Are some of the rules the same (or almost)? Because there is e.g. a DNS Ruleset in every category of rules

      Perhaps some experienced snort user can help me out to find peace in the nights ;D

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.