-- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint: E2EF 0C8A 5AA9 654C 4763 B50F 37AC E946 7F51 8271 On Jun 07, 2013, Jeremiah Rothschild wrote:
> On Fri, Jun 07, 2013 at 01:27:05PM -0700, Jeremiah Rothschild wrote: > > I wonder, then, what sort of best practice or sweet spot exists. > > fwsnort, for example, ships with over 2800 snort rules and the > > emergingthreats ruleset is crazy at over 12000. Of course, only > > 60-70% of these will translate, and perhaps there's some (or a lot) > > of overkill in these, but still. > > > > Any thoughts or advice? > > Pardon my reply to my own message, but having thought it through > more, it seems that -- if one really wanted to "blanket ban" attack > traffic -- then addressing it with the fwsnort (with the --ipt-drop > option) makes more sense than addressing it with psad. Well, there is a trade off here too. Using --ipt-drop with fwsnort will provide some protection against a specific exploit, but the attacker is free to return with other exploits and/or apply evasions to the original that fwsnort most likely won't be able to detect. Using psad provides a more comprehensive IP-based blocking policy. You can also use the two strategies in conjunction as well. > With that said, maybe a little more flexibility with snort_rule_dl > would be good. Such as being able to assign a danger level to a > particular classtype rather than a specific SID. Agreed - I'll add this for the next release. Thanks, --Mike > At anyrate, thanks for bearing with me. I think now, with you > having clarified the AUTO_BLOCK_REGEX functionality for me, that > I have all the info I need to proceed. Thanks for bearing with me! > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. A cloud service to automate IT design, transition and operations > 2. Dashboards that offer high-level views of enterprise services > 3. A single system of record for all IT processes > http://p.sf.net/sfu/servicenow-d2d-j > _______________________________________________ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
