4. Snort WAN Rules - Recommendation?

Snort WAN Rules - Recommendation?

  • E

    Hello,

    I am quite new to IDS with Snort but I have it configured for WAN and enabled promiscuous mode for the WAN port.

    I enabled in general the rules:

    Snort VRT Rules
    Snort GPLv2 Community Rules
    Emerging Threats Open Rules
    Snort OpenAppID Detectors

    under "WAN Categories" I enabled the "Use IPS Policy" under "Snort VRT IPS Policy Selection" and set it to balanced.
    So far I do not have much "false positives" but I wonder if this selection is safe enough because with the "Use IPS Policy" all "Snort Text Rules" and "Snort SO Rules" are greyed out so I assume they are disabled (that`s what the description of "Use IPS Policy" says, too).

    I tried to disable the "Use IPS Policy" and checked ALL rules that pfSense offered me but this led to a lot of false positives so I reverted the option.

    My questions:

    1. Is it safe enough to just use the free "ET Open Rules" according to IPS policy?

    2. If not, which of the "Snort Text Rules" and "Snort SO Rules" are recommended?

    3. Are some of the rules the same (or almost)? Because there is e.g. a DNS Ruleset in every category of rules

    Perhaps some experienced snort user can help me out to find peace in the nights ;D

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy