Snort Important Rules

[george87]

hello all,

I’ve installed fwsnort on a linux server it uses snort rules and include them to the iptables.

I can use fwsnort to load specific rules only by the rule id like that:

# fwsnort —include-type ddos,backdoor

Generate iptables rules for Snort ID’s 2008475 and 2003268 (from emerging-all.rules):

# fwsnort —snort-sid 2008475,2003268

Generate iptables rules for Snort ID’s 1834 and 2001842 but queue them to userspace via the NFQUEUE target and restrict exclude the INPUT and OUTPUT chains

my question is: Is There any possible way to know get SIDs of specific type of rules or to list most important rules to be loaded that I’ll not load all rules which needs a large memory.

[unspawn]

I’ve installed fwsnort on a linux server

While the product is called "fwsnort" it actually has nothing to do with Snort (only rules), it will not convert all rules and it has none of the characteristics (fast pattern matching, stateful packet analysis, stream reassembly, different alert types, pass before log rules, different log targets, et cetera) that makes Snort the IDS of choice for many. What I'm saying is that you should make certain that what you use is what you want to use and that it is effective in dealing with threats.

my question is: Is There any possible way to know get SIDs of specific type of rules or to list most important rules to be loaded that I’ll not load all rules which needs a large memory.

Your definition of "most important" should depend on what you run: what you need to see attacks against. Wrt not loading SIDs, Oinkmaster can strip SIDS but of course you could brew your own script. Finally as for what not to load just delete rulesets before processing them or grep the sid-msg.map for services or products you don't run.