I have two questions.
What Snort Rules supplier is best for IPFire (and why)?
Some examples of what I have read that make we wonder, and I don't feel I am capable of doing an educated choice because I know to little about these things.
- If I choose one or another, will the rules under "intrusion detection system rules" change, or can I choose the same rules regardless of rule supplier? When I change rule supplier, all under "intrusion detection system rules" seems to be the same and the same check boxes I checked before are still chosen.
- I think I also read somewhere that there was problems with rules that have been chosen were reset when updating (but not if you use https://forum.ipfire.org/viewtopic.php?f=27&t=20965 ). Is that the same for all rule suppliers
- When I read https://forum.ipfire.org/viewtopic.php? ... e&start=30 VRT seem to have problems, so should I therefore go with Emergingthreaths? Or if they all work, is one of them better?
- If I read https://forum.ipfire.org/viewtopic.php?f=27&t=21014 I read that Emerging Threats ruleset includes rules that just look for known suspect IP addresses. Using Snort rules to block IP addresses this way is actually inefficient. There is a more efficient way of doing it in Snort using the reputation processor, but this doesn't work in the way that Snort is set up on IPFire, which is why the Talos VRT equivalent isn't enabled. There has been some discussion about providing a method of loading IP address blacklists into the firewall, but I'm not aware of any decision being made.
Is it therefore better with Emerging Threats IP blocking, or better without? Is it about how much CPU/RAM is uses or is it unsecure?
What Snort Rules are best for a general home user (and why)?
I have a family and we do our everyday surfing and some gaming. Sometimes my kid have friends over, and they use Internet. I have a SFTP server, but otherwise no web servers etc.
For this setup I have chosen these rules, and it seems to be working.
Code: Select all
No = app-detect.rules Yes = attack-responses.rules Yes = backdoor.rules Yes = bad-traffic.rules Yes = blacklist.rules Yes = botnet-cnc.rules Yes = browser-chrome.rules Yes = browser-firefox.rules Yes = browser-ie.rules Yes = browser-other.rules Yes = browser-plugins.rules Yes = browser-webkit.rules No = chat.rules Yes = community.rules Yes = content-replace.rules Yes = ddos.rules Yes = dns.rules No = emerging-activex.rules Yes = emerging-attack_response.rules Yes = emerging-botcc.portgrouped.rules Yes = emerging-botcc.rules No = emerging-chat.rules No = emerging-ciarmy.rules Yes = emerging-compromised.rules Yes = emerging-current_events.rules No = emerging-deleted.rules No = emerging-dns.rules Yes = emerging-dos.rules No = emerging-drop.rules Yes = emerging-dshield.rules Yes = emerging-exploit.rules No = emerging-ftp.rules No = emerging-games.rules No = emerging-icmp.rules No = emerging-icmp_info.rules No = emerging-imap.rules No = emerging-inappropriate.rules No = emerging-info.rules Yes = emerging-malware.rules No = emerging-misc.rules Yes = emerging-mobile_malware.rules No = emerging-netbios.rules No = emerging-p2p.rules No = emerging-policy.rules No = emerging-pop3.rules No = emerging-rbn-malvertisers.rules No = emerging-rbn.rules No = emerging-rpc.rules No = emerging-scada.rules Yes = emerging-scan.rules No = emerging-shellcode.rules No = emerging-smtp.rules No = emerging-snmp.rules No = emerging-sql.rules No = emerging-telnet.rules No = emerging-tftp.rules No = emerging-tor.rules No = emerging-trojan.rules No = emerging-user_agents.rules No = emerging-voip.rules No = emerging-web_client.rules No = emerging-web_server.rules No = emerging-web_specific_apps.rules Yes = emerging-worm.rules No = experimental.rules Yes = exploit-kit.rules Yes = exploit.rules Yes = file-executable.rules Yes = file-flash.rules Yes = file-identify.rules Yes = file-image.rules Yes = file-java.rules Yes = file-multimedia.rules Yes = file-office.rules Yes = file-other.rules Yes = file-pdf.rules No = finger.rules No = ftp.rules No = icmp-info.rules No = icmp.rules No = imap.rules Yes = indicator-compromise.rules Yes = indicator-obfuscation.rules Yes = indicator-scan.rules No = indicator-shellcode.rules Yes = malware-backdoor.rules Yes = malware-cnc.rules Yes = malware-other.rules Yes = malware-tools.rules No = misc.rules No = mysql.rules No = netbios.rules No = nntp.rules No = oracle.rules Yes = os-linux.rules Yes = os-mobile.rules No = os-other.rules No = os-solaris.rules Yes = os-windows.rules Yes = other-ids.rules No = p2p.rules No = phishing-spam.rules No = policy-multimedia.rules No = policy-other.rules No = policy-social.rules No = policy-spam.rules No = policy.rules No = pop2.rules No = pop3.rules No = protocol-dns.rules No = protocol-finger.rules Yes = protocol-ftp.rules No = protocol-icmp.rules No = protocol-imap.rules No = protocol-nntp.rules No = protocol-other.rules No = protocol-pop.rules No = protocol-rpc.rules No = protocol-scada.rules No = protocol-services.rules No = protocol-snmp.rules No = protocol-telnet.rules Yes = protocol-tftp.rules No = protocol-voip.rules No = pua-adware.rules No = pua-other.rules No = pua-p2p.rules No = pua-toolbars.rules No = rservices.rules No = server-apache.rules No = server-iis.rules No = server-mail.rules No = server-mssql.rules No = server-mysql.rules No = server-oracle.rules No = server-other.rules No = server-samba.rules No = server-webapp.rules No = smtp.rules No = specific-threats.rules Yes = spyware-put.rules Yes = virus.rules No = web-activex.rules No = web-attacks.rules No = web-cgi.rules Yes = web-client.rules No = web-coldfusion.rules No = web-frontpage.rules No = web-iis.rules No = web-misc.rules No = web-php.rules No = x11.rules