Netgate SG-1000 microFirewall

Author Topic: Snort WAN Rules - Recommendation?  (Read 1150 times)

0 Members and 1 Guest are viewing this topic.

Offline epionier

  • Jr. Member
  • **
  • Posts: 68
  • Karma: +1/-0
    • View Profile
Snort WAN Rules - Recommendation?
« on: May 14, 2016, 03:23:13 pm »

I am quite new to IDS with Snort but I have it configured for WAN and enabled promiscuous mode for the WAN port.

I enabled in general the rules:

Snort VRT Rules
Snort GPLv2 Community Rules
Emerging Threats Open Rules
Snort OpenAppID Detectors

under "WAN Categories" I enabled the "Use IPS Policy" under "Snort VRT IPS Policy Selection" and set it to balanced.
So far I do not have much "false positives" but I wonder if this selection is safe enough because with the "Use IPS Policy" all "Snort Text Rules" and "Snort SO Rules" are greyed out so I assume they are disabled (that`s what the description of "Use IPS Policy" says, too).

I tried to disable the "Use IPS Policy" and checked ALL rules that pfSense offered me but this led to a lot of false positives so I reverted the option.

My questions:

1. Is it safe enough to just use the free "ET Open Rules" according to IPS policy?

2. If not, which of the "Snort Text Rules" and "Snort SO Rules" are recommended?

3. Are some of the rules the same (or almost)? Because there is e.g. a DNS Ruleset in every category of rules

Perhaps some experienced snort user can help me out to find peace in the nights ;D