[Oisf-users] "Recommended" rule settings

Andreas Herz andi at geekosphere.org
Wed Jan 14 15:20:17 UTC 2015

On 14/01/15 at 16:46, unite wrote:
> Hi guys!
> I'm quite new to Suricata. So, I succesfully managed to install it and to
> configure it for basic use (I'm using nfqueue IPS mode). Now I want to try
> secure my network, however I can't find anywhere which rules should I enable
> as "drop" which as "alert" and which not to enable at all, so my IPS
> wouldn't be too paranoid and don't block, for example, low confidence
> traffic which is very likely to be legitimate. I'm using open
> emergingthreats rules. I understand that there is no perfect and universal
> rule setting - every single installation needs a unique one, however I've
> seen some kinds of "recommended" rule settings in other IPS engines -
> containing the rule settings that are suitable for most deployments and then
> you change some if you need.
> Can someone advice? It would be great help for me.

I can say that using this list with maybe some rules excluded might be a
good start:

 - emerging-trojan.rules
 - emerging-scan.rules
 - emerging-user_agents.rules
 - emerging-current_events.rules
 - emerging-malware.rules
 - emerging-mobile_malware.rules
 - emerging-worm.rules
 - ciarmy.rules
 - compromised.rules
 - drop.rules
 - dshield.rules
 - botcc.rules

Andreas Herz

More information about the Oisf-users mailing list