[Oisf-users] Suricata Rules

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is what I would do if I had the budget:

I would have a second sensor that ran only ET rules that are currently
disabled, with a high default threshold setting.  I would then have an
analyst review the alerts daily and look for alerts to enable via
oinkmaster.

*But*, in my limited experience the ET guys do a pretty good job of
enabling the highest-value alerts by default.  I've run some of the
disabled rules in the past during quiet periods and I don't recall
finding much of interest.

Also, if you are running a honeypot/honeynet, its a good idea to simply
enable everything.

- -Coop

On 11/17/2014 9:04 AM, Jeripotula, Shashiraj wrote:
> Hi,
> 
> Most of the rules seems to be commented. How do we test Suricata for
> IDS/IPS ???
> 
> 
> How to identify, what rules to uncomment. Its really large set of rule
> set, it will take long time to go through them.
> 
> 
> Can someone Please advise.
> 
> 
> Thanks
> 
> 
> Raj
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUakQYAAoJEKIFRYQsa8FWzSAH+wcV1JtT881VO2x4CxBkZrBP
s91yqySezEiRvnIYWIINj0SEjXSbDl1e9IGe8+HBdPXvWecaniEgziPagQyIyaYL
7W+tp1+ONPPa/07hA9e46VC/P44F3nX+Qzs5exoU+QBu4B2GLG2NtB3IXywF2EC+
WHRGAp+05KtJGXv1N/n8rdIRx+mcX/P/KWqJAXfltSAY7rC0h25cDiau5fAQX+sE
lRgM8wybyWs+FTfcckYXBgmCU4iu4JQVa3qyXAPFhT9gBkFh9u2iFMl8VRgn0YO9
JSIS7Od0o9m442yON96/5i2/SpPvUQLuDKvJG9V+SyjHkmEys3gdK2Vj2lUlo4Y=
=dLxA
-----END PGP SIGNATURE-----