On Fri, Jun 07, 2013 at 01:27:05PM -0700, Jeremiah Rothschild wrote:
> I wonder, then, what sort of best practice or sweet spot exists.
> fwsnort, for example, ships with over 2800 snort rules and the
> emergingthreats ruleset is crazy at over 12000. Of course, only
> 60-70% of these will translate, and perhaps there's some (or a lot)
> of overkill in these, but still.
> 
> Any thoughts or advice?

Pardon my reply to my own message, but having thought it through
more, it seems that -- if one really wanted to "blanket ban" attack
traffic -- then addressing it with the fwsnort (with the --ipt-drop
option) makes more sense than addressing it with psad.

With that said, maybe a little more flexibility with snort_rule_dl
would be good. Such as being able to assign a danger level to a
particular classtype rather than a specific SID.

At anyrate, thanks for bearing with me. I think now, with you
having clarified the AUTO_BLOCK_REGEX functionality for me, that
I have all the info I need to proceed. Thanks for bearing with me!

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to