[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] IPS rule set
From: Matthew Jonkman <jonkman () emergingthreatspro ! com>
Date: 2011-05-17 23:11:41
Message-ID: 56C5133B-1724-4E55-9792-6F34C0020B7F () emergingthreatspro ! com
[Download RAW message or body]
For suricata we have the emergingthreats.net open rulesets, and the pro side. \
Suricata can also run most of the VRT set, but it won't be taking advantage of any of \
the new features suricata has other than multithreading....
We've had the debate many times in the et community whether we should make the \
block/no-block recommendation for users, and it's always ended up with the assertion \
that only a relatively slim percentage of rules we could say every org should block \
in every situation. So we've left it to the organization to make those decisions.
What we have wanted to do, and I think we'll get going soon in both the ET open and \
pro rulesets, is a confidence rating. That would allow the admin to make a decision \
on blocking according to their threshold of risk.
But till that day comes, I'd recommend making block decisions for a few categories \
first, like malware, trojan, worm, and the dynamic rulesets like bot-cnc and rbn \
first. You could even go for it with the exploit stuff. Web_server and the like you \
should filter through, as well as web_client.
So my long winded answer is, no. There's not a recommended on and off block ruleset. \
It very much depends on your organization. But if you start conservatively you can \
get to the point that keeps you happy very quickly with tuning.
Matt
On May 17, 2011, at 6:54 PM, Bryan Cromwell wrote:
> Is there an available ruleset that has that has drop/block rules enabled by default \
> for 'safe' rules? I am thinking along the lines of tippingpoint recommended rules \
> as opposed to all or none that comes from search and replace of VRT rules set.
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users@openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
_______________________________________________
Oisf-users mailing list
Oisf-users@openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic