[Oisf-users] "Recommended" rule settings

Cooper F. Nelson cnelson at ucsd.edu
Wed Jan 14 15:03:32 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Best practice is run the ruleset in the default configuration, monitor
your alerts daily and configure drop rules as desired.  Most of the
low-confidence ET rules are already disabled by default.

It's up to you to establish what meets the criteria for promoting to
'drop' rules, but I'll suggest starting with the high-risk/low FP rules.
 Like heartbleed, shellshock, exploit kits, attack tools, etc.

And IDP isn't magic and requires constant maintenance and monitoring to
be effective.

- -Coop

On 1/14/2015 6:46 AM, unite wrote:
> Hi guys!
> 
> I'm quite new to Suricata. So, I succesfully managed to install it and
> to configure it for basic use (I'm using nfqueue IPS mode). Now I want
> to try secure my network, however I can't find anywhere which rules
> should I enable as "drop" which as "alert" and which not to enable at
> all, so my IPS wouldn't be too paranoid and don't block, for example,
> low confidence traffic which is very likely to be legitimate. I'm using
> open emergingthreats rules. I understand that there is no perfect and
> universal rule setting - every single installation needs a unique one,
> however I've seen some kinds of "recommended" rule settings in other IPS
> engines - containing the rule settings that are suitable for most
> deployments and then you change some if you need.
> 
> Can someone advice? It would be great help for me.
> 
> Thanks in advance!
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUtoVEAAoJEKIFRYQsa8FW3M4H/1LgHdks9Fdkjw18qBFIetOJ
luAxyIU5i0Fn+2szhaHS0hHC/IK4scqPF60oaM3EercDZYWCQMGxXbDo55SyMTpU
NH85O48IJoer1jSXwbwJzbqBanuVVPPyyReddtsiDrESowZh04MdQ1NcOkOi7OSH
INWv8jFjwkjqaQP9XC2FY0Ltjs4g242TaDaUvWafGXSGsMid//6G6/5zAX9fJJOk
wyB1ollrN8+QoDRP298dlC2ZxzGtiA/yn33xv30GgxFjQqZD9JiHcdU713eHoBu4
3jBbrNiFDGjnErmdM2wdmVGYwObY6GWRKe0uux0kUNImFWQ0MsLgB8vn8HS2usE=
=nZQj
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list