Find the answer to your Linux question:
Results 1 to 2 of 2
hello all, Iíve installed fwsnort on a linux server it uses snort rules and include them to the iptables. I can use fwsnort to load specific rules only by the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2010
    Posts
    1

    Question Snort Important Rules


    hello all,

    Iíve installed fwsnort on a linux server it uses snort rules and include them to the iptables.

    I can use fwsnort to load specific rules only by the rule id like that:

    # fwsnort óinclude-type ddos,backdoor

    Generate iptables rules for Snort IDís 2008475 and 2003268 (from emerging-all.rules):

    # fwsnort ósnort-sid 2008475,2003268

    Generate iptables rules for Snort IDís 1834 and 2001842 but queue them to userspace via the NFQUEUE target and restrict exclude the INPUT and OUTPUT chains

    my question is: Is There any possible way to know get SIDs of specific type of rules or to list most important rules to be loaded that Iíll not load all rules which needs a large memory.

  2. #2
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by george87 View Post
    Iíve installed fwsnort on a linux server
    While the product is called "fwsnort" it actually has nothing to do with Snort (only rules), it will not convert all rules and it has none of the characteristics (fast pattern matching, stateful packet analysis, stream reassembly, different alert types, pass before log rules, different log targets, et cetera) that makes Snort the IDS of choice for many. What I'm saying is that you should make certain that what you use is what you want to use and that it is effective in dealing with threats.


    Quote Originally Posted by george87 View Post
    my question is: Is There any possible way to know get SIDs of specific type of rules or to list most important rules to be loaded that Iíll not load all rules which needs a large memory.
    Your definition of "most important" should depend on what you run: what you need to see attacks against. Wrt not loading SIDs, Oinkmaster can strip SIDS but of course you could brew your own script. Finally as for what not to load just delete rulesets before processing them or grep the sid-msg.map for services or products you don't run.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •