[Oisf-users] "Recommended" rule settings

Andreas Herz andi at geekosphere.org
Fri Jan 16 09:56:10 UTC 2015


On 15/01/15 at 21:59, Andreas Moe wrote:
> I strongly dissagree with those rulefile recommendations. Do you know how
> many rules in total this is? And not speaking of all the IP bassed rules in
> ciaarmy, compromised, drop, dshield and botcc??

I won't say that the amount of rules is the biggest problem.
And yeah there are several IP based rules, but why shouldn't you want
them included unless you know that some of the entrys are outdated or
affect your connections?

> As i see it there are three issues with this recommendation.
> 1) This is alot of rules, give this ruleset 1,2,3,4,5 Gbits/s and well,
> drop drop drop.

IMHO this really depends on the setup.

> 2) Anyone using their own ruledatabase (ie. keeping a database of all rules
> and revisions) will not be able to (without allot of work) be able to keep
> this ruleset smal and fast enough for high speed environments.

If they have some ruledatabase for their own, they won't need any
recommendations?

> 3) All ruleset tuning operations should be done by scoping the needs, then
> removing files / sids / categories. Not just saying: you dont need this or
> this or this. What about web_server, web_client? those might be off use /
> need to this scenario.

Sure you really have to set the rulefiles to your needs/scenario.

> So to do the TL;DR version.
> No one can say "this is the correct ruleset to run" because they dont know
> your network, your infrastructure, and so on. Start with all rules, tune,
> do performance testing, check for false positives. All new IDS solutions
> need a "initial tuning" phase. Someone trying to "sell you" an "this works
> out of the box" if filled with... sorry for saying this: shit =)

I never said it's the best or correct ruleset, i just said this is a set
that he might wnat to consider as a start to test around and see if it
fits.
That's why i also said that some rules are excluded that cause troubles
on some settings.

I totally agree with you that if you want to do it right, sane and
correct you have to play around and find your own ruleset. But i think
sharing rulesets that are tested on several systems should be valid,
too.

> 2015-01-14 16:20 GMT+01:00 Andreas Herz <andi at geekosphere.org>:
> 
> > On 14/01/15 at 16:46, unite wrote:
> > > Hi guys!
> > >
> > > I'm quite new to Suricata. So, I succesfully managed to install it and to
> > > configure it for basic use (I'm using nfqueue IPS mode). Now I want to
> > try
> > > secure my network, however I can't find anywhere which rules should I
> > enable
> > > as "drop" which as "alert" and which not to enable at all, so my IPS
> > > wouldn't be too paranoid and don't block, for example, low confidence
> > > traffic which is very likely to be legitimate. I'm using open
> > > emergingthreats rules. I understand that there is no perfect and
> > universal
> > > rule setting - every single installation needs a unique one, however I've
> > > seen some kinds of "recommended" rule settings in other IPS engines -
> > > containing the rule settings that are suitable for most deployments and
> > then
> > > you change some if you need.
> > >
> > > Can someone advice? It would be great help for me.
> >
> > I can say that using this list with maybe some rules excluded might be a
> > good start:
> >
> > rule-files:
> >  - emerging-trojan.rules
> >  - emerging-scan.rules
> >  - emerging-user_agents.rules
> >  - emerging-current_events.rules
> >  - emerging-malware.rules
> >  - emerging-mobile_malware.rules
> >  - emerging-worm.rules
> >  - ciarmy.rules
> >  - compromised.rules
> >  - drop.rules
> >  - dshield.rules
> >  - botcc.rules
> >
> > --
> > Andreas Herz
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Training now available: http://suricata-ids.org/training/
> >

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/


-- 
Andreas Herz



More information about the Oisf-users mailing list