[Oisf-users] IPS rule set

Matthew Jonkman jonkman at emergingthreatspro.com
Tue May 17 23:11:41 UTC 2011

For suricata we have the emergingthreats.net open rulesets, and the pro side. Suricata can also run most of the VRT set, but it won't be taking advantage of any of the new features suricata has other than multithreading....

We've had the debate many times in the et community whether we should make the block/no-block recommendation for users, and it's always ended up with the assertion that only a relatively slim percentage of rules we could say every org should block in every situation. So we've left it to the organization to make those decisions. 

What we have wanted to do, and I think we'll get going soon in both the ET open and pro rulesets, is a confidence rating. That would allow the admin to make a decision on blocking according to their threshold of risk. 

But till that day comes, I'd recommend making block decisions for a few categories first, like malware, trojan, worm, and the dynamic rulesets like bot-cnc and rbn first. You could even go for it with the exploit stuff. Web_server and the like you should filter through, as well as web_client. 

So my long winded answer is, no. There's not a recommended on and off block ruleset. It very much depends on your organization. But if you start conservatively you can get to the point that keeps you happy very quickly with tuning.


On May 17, 2011, at 6:54 PM, Bryan Cromwell wrote:

> Is there an available ruleset that has that has drop/block rules enabled by default for 'safe' rules?  I am thinking along the lines of tippingpoint recommended rules as opposed to all or none that comes from search and replace of VRT rules set. 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Oisf-users mailing list