Ideal set of rules for production environment?


While testing Suricata, I used the emerging threats set of rules (I downloaded "emerging-all.rules.tar.gz from Proofpoint Emerging Threats Rules).

However, it seems to me that it logs way too much stuff for still being able to track down suspicious activity.

Does anyone have any recommendations on the ideal set of rules that can be used in a production environment to monitor servers (and possibly client machines also)?

Thank you.

It depends, there is thousands of rules in the ET ruleset and most of them are dependent on your environment.

You will need to tackle this as a continuous effort without a finish line, this is because both the rules and your environment are evolving, and the ET ruleset is generic for all environments.

Start by enabling all the rules, disable ones that affect software that are not present in your environment (use the tags to search for them)

Disable/transform noisy ones or ones with a high false positive rate, after a while you will end with a highly tuned ruleset that is specific for your environment and your team.

Doing this requires a reasonably good rules management tool (full disclosure: I have developed one) that let your team continuously do this tunning.