[Oisf-users] "Recommended" rule settings

Andreas Moe moe.andreas at gmail.com
Thu Jan 15 20:59:22 UTC 2015

I strongly dissagree with those rulefile recommendations. Do you know how
many rules in total this is? And not speaking of all the IP bassed rules in
ciaarmy, compromised, drop, dshield and botcc??

As i see it there are three issues with this recommendation.
1) This is alot of rules, give this ruleset 1,2,3,4,5 Gbits/s and well,
drop drop drop.
2) Anyone using their own ruledatabase (ie. keeping a database of all rules
and revisions) will not be able to (without allot of work) be able to keep
this ruleset smal and fast enough for high speed environments.
3) All ruleset tuning operations should be done by scoping the needs, then
removing files / sids / categories. Not just saying: you dont need this or
this or this. What about web_server, web_client? those might be off use /
need to this scenario.

So to do the TL;DR version.
No one can say "this is the correct ruleset to run" because they dont know
your network, your infrastructure, and so on. Start with all rules, tune,
do performance testing, check for false positives. All new IDS solutions
need a "initial tuning" phase. Someone trying to "sell you" an "this works
out of the box" if filled with... sorry for saying this: shit =)

2015-01-14 16:20 GMT+01:00 Andreas Herz <andi at geekosphere.org>:

> On 14/01/15 at 16:46, unite wrote:
> > Hi guys!
> >
> > I'm quite new to Suricata. So, I succesfully managed to install it and to
> > configure it for basic use (I'm using nfqueue IPS mode). Now I want to
> try
> > secure my network, however I can't find anywhere which rules should I
> enable
> > as "drop" which as "alert" and which not to enable at all, so my IPS
> > wouldn't be too paranoid and don't block, for example, low confidence
> > traffic which is very likely to be legitimate. I'm using open
> > emergingthreats rules. I understand that there is no perfect and
> universal
> > rule setting - every single installation needs a unique one, however I've
> > seen some kinds of "recommended" rule settings in other IPS engines -
> > containing the rule settings that are suitable for most deployments and
> then
> > you change some if you need.
> >
> > Can someone advice? It would be great help for me.
> I can say that using this list with maybe some rules excluded might be a
> good start:
> rule-files:
>  - emerging-trojan.rules
>  - emerging-scan.rules
>  - emerging-user_agents.rules
>  - emerging-current_events.rules
>  - emerging-malware.rules
>  - emerging-mobile_malware.rules
>  - emerging-worm.rules
>  - ciarmy.rules
>  - compromised.rules
>  - drop.rules
>  - dshield.rules
>  - botcc.rules
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150115/d32e89fe/attachment-0002.html>

More information about the Oisf-users mailing list