[Oisf-users] Rules

Will Metcalf william.metcalf at gmail.com
Mon Jun 21 12:09:02 UTC 2010


> What should we use as rules ? snort rules, ET rules, others ? or both ?
I would say both as they apply to your environment.  For example there
is probably no reason to run emerging-web_server.rules or other rules
files for protecting web-apps/servers if you are not running one.  You
have to decide what events are important to you and enable the
corresponding rule-sets enabling these rules.  From there you will
probably still get quite a few false positives, so you will need to
further refine your rule-set's to meet your environment.


> are they the same ? "repeated" ?
Sometimes there are overlap's, but most of the time there are not.
Each rule-set has it's own respective strength's and weaknesses imho.

> How Can i uninstall Suricata ? (to try 0.9.2 v)
If you were building from the git repo before, you don't really need
to uninstall anything, you can just overwrite you existing
installation following ./configure && make && make install.

Regards,

Will



More information about the Oisf-users mailing list