[Oisf-users] "Recommended" rule settings
Andreas Herz
andi at geekosphere.org
Wed Jan 14 15:20:17 UTC 2015
On 14/01/15 at 16:46, unite wrote:
> Hi guys!
>
> I'm quite new to Suricata. So, I succesfully managed to install it and to
> configure it for basic use (I'm using nfqueue IPS mode). Now I want to try
> secure my network, however I can't find anywhere which rules should I enable
> as "drop" which as "alert" and which not to enable at all, so my IPS
> wouldn't be too paranoid and don't block, for example, low confidence
> traffic which is very likely to be legitimate. I'm using open
> emergingthreats rules. I understand that there is no perfect and universal
> rule setting - every single installation needs a unique one, however I've
> seen some kinds of "recommended" rule settings in other IPS engines -
> containing the rule settings that are suitable for most deployments and then
> you change some if you need.
>
> Can someone advice? It would be great help for me.
I can say that using this list with maybe some rules excluded might be a
good start:
rule-files:
- emerging-trojan.rules
- emerging-scan.rules
- emerging-user_agents.rules
- emerging-current_events.rules
- emerging-malware.rules
- emerging-mobile_malware.rules
- emerging-worm.rules
- ciarmy.rules
- compromised.rules
- drop.rules
- dshield.rules
- botcc.rules
--
Andreas Herz
More information about the Oisf-users
mailing list