-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint: E2EF 0C8A 5AA9 654C 4763  B50F 37AC E946 7F51 8271
On Jun 07, 2013, Jeremiah Rothschild wrote:

> On Fri, Jun 07, 2013 at 01:27:05PM -0700, Jeremiah Rothschild wrote:
> > I wonder, then, what sort of best practice or sweet spot exists.
> > fwsnort, for example, ships with over 2800 snort rules and the
> > emergingthreats ruleset is crazy at over 12000. Of course, only
> > 60-70% of these will translate, and perhaps there's some (or a lot)
> > of overkill in these, but still.
> > 
> > Any thoughts or advice?
> 
> Pardon my reply to my own message, but having thought it through
> more, it seems that -- if one really wanted to "blanket ban" attack
> traffic -- then addressing it with the fwsnort (with the --ipt-drop
> option) makes more sense than addressing it with psad.


Well, there is a trade off here too.  Using --ipt-drop with fwsnort will
provide some protection against a specific exploit, but the attacker is
free to return with other exploits and/or apply evasions to the original
that fwsnort most likely won't be able to detect.

Using psad provides a more comprehensive IP-based blocking policy.  You
can also use the two strategies in conjunction as well.

> With that said, maybe a little more flexibility with snort_rule_dl
> would be good. Such as being able to assign a danger level to a
> particular classtype rather than a specific SID.

Agreed - I'll add this for the next release.

Thanks,

--Mike


> At anyrate, thanks for bearing with me. I think now, with you
> having clarified the AUTO_BLOCK_REGEX functionality for me, that
> I have all the info I need to proceed. Thanks for bearing with me!
> 
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to