Snort WAN Rules - Recommendation?

  • Hello,

    I am quite new to IDS with Snort but I have it configured for WAN and enabled promiscuous mode for the WAN port.

    I enabled in general the rules:

    Snort VRT Rules
    Snort GPLv2 Community Rules
    Emerging Threats Open Rules
    Snort OpenAppID Detectors

    under "WAN Categories" I enabled the "Use IPS Policy" under "Snort VRT IPS Policy Selection" and set it to balanced.
    So far I do not have much "false positives" but I wonder if this selection is safe enough because with the "Use IPS Policy" all "Snort Text Rules" and "Snort SO Rules" are greyed out so I assume they are disabled (that`s what the description of "Use IPS Policy" says, too).

    I tried to disable the "Use IPS Policy" and checked ALL rules that pfSense offered me but this led to a lot of false positives so I reverted the option.

    My questions:

    1. Is it safe enough to just use the free "ET Open Rules" according to IPS policy?

    2. If not, which of the "Snort Text Rules" and "Snort SO Rules" are recommended?

    3. Are some of the rules the same (or almost)? Because there is e.g. a DNS Ruleset in every category of rules

    Perhaps some experienced snort user can help me out to find peace in the nights ;D

Log in to reply