New ET Users Guide

1. First, you need an IDS (such as Suricata or Snort) installed and running. Doing that is a bit beyond the scope of this guide. If you're having issues google "suricata/snort howto", you'll find many articles that will suit your needs.

2. Check out the sample emerging.conf. Recommend either adding this to your snort.conf, or including it. This will show you how to include the new rules within your existing ruleset. If you're using a rule manager point it to a tarball or individual rules file in this directory: You should choose either the open or open-nogpl ruleset first. Open contains all of the ET open rules, the original snort GPL rules (sids 3464 and lower) and the good of the community ruleset. Open-nogpl contains JUST the ET open rules. Use this if you are combining with another ruleset like VRT.

You then need to choose a platform. These are listed under each ruleset type. choose the snort version or Suricata version at or under your running version. Be careful going forward. If you are using Pulled Pork or other management tools you can request the three digit version of your engine and we will automatically steer you to the correct version of rules. A sample url would be:

3. Choose your rules. You CANNOT UNDER ANY CIRCUMSTANCE run every rule in this ruleset. Nor should you in any other ruleset. You have to poke through and take a look. You don't necessarily have to fully understand how to read a rule and look at every single one. You can go by major category (as the rules are organized into categories) to start. Then tune as you go.

4. Run it and see what happens. You'll get noise. Tuning will be critical. Don't expect to turn these on and go home for the weekend. You MUST spend a few some time tuning or you're going to fill your event database with junk.

5. Once you're tuned look at your performance stats. Send snort s USR1 (i.e. kill -USR1 ) and watxh syslog. You'll get some statistics. Make SURE your dropped packets are low. Like under 1%. If you're much higher than that you're going to miss things. You have to tune your ruleset further by removing unnecessary rules, giving your sensor more power, changing search method, or giving it some acceleration hardware. Lots of options there, but the first step is to really take a deep look at your ruleset. Whatever you can not use drop. If you're not going to react to something consider not using it.

Now go to WhatEveryIDSUserShouldDo . These are tips for some local config things to try.

Then go to SuricataSnortSigs101 for tips on writing sigs and submitting them here.

-- MattJonkman - 29 Nov 2010

Topic revision: r5 - 2013-04-19 - MattJonkman
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats