[Oisf-users] "Recommended" rule settings

Cooper F. Nelson cnelson at ucsd.edu
Wed Jan 14 15:03:32 UTC 2015

Hash: SHA1

Best practice is run the ruleset in the default configuration, monitor
your alerts daily and configure drop rules as desired.  Most of the
low-confidence ET rules are already disabled by default.

It's up to you to establish what meets the criteria for promoting to
'drop' rules, but I'll suggest starting with the high-risk/low FP rules.
 Like heartbleed, shellshock, exploit kits, attack tools, etc.

And IDP isn't magic and requires constant maintenance and monitoring to
be effective.

- -Coop

On 1/14/2015 6:46 AM, unite wrote:
> Hi guys!
> I'm quite new to Suricata. So, I succesfully managed to install it and
> to configure it for basic use (I'm using nfqueue IPS mode). Now I want
> to try secure my network, however I can't find anywhere which rules
> should I enable as "drop" which as "alert" and which not to enable at
> all, so my IPS wouldn't be too paranoid and don't block, for example,
> low confidence traffic which is very likely to be legitimate. I'm using
> open emergingthreats rules. I understand that there is no perfect and
> universal rule setting - every single installation needs a unique one,
> however I've seen some kinds of "recommended" rule settings in other IPS
> engines - containing the rule settings that are suitable for most
> deployments and then you change some if you need.
> Can someone advice? It would be great help for me.
> Thanks in advance!

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list