Rule recommendations for an Intrusion Detection System

Hello, everyone. I trying to use suricata as an IDS engine and have now got it installed and have verified that it is working. I have downloaded the emerging threats ruleset, however a lot of rules in the file seem to be commented out:

This is confusing, as if the aim is to provide security, then why are multiple rules commented out?
Is their a specific ruleset used for the purposes of an IDS in production, if so where can I download it, if not, which rules do you recommend un-commenting?

It really depends on your deployment and what you are looking to detect. Do you have web servers behind this sensor? You should probably enable the WEB_SERVER rule file if so. Are you concerned about coin miners behind this sensor? If you’re not, you probably don’t need the COINMINERS rule file. Are you less concerned with sensor noise here and looking to hunt for that new hottness? You may want to enable the INFO and HUNTING rule categories. etc…

Many times commented rules are rules that are no longer relevant to what we are seeing in our (EmergingThreats) traffic in the past few years. Sometimes rules are commented out due to it passing a certain threshold for what we consider to be too many false positives or requiring too many resources. We typically refrain from deleting rules or moving them into the deleted.rules file unless we’re pretty confident that they will not be useful to anyone. If you want to enable everything, you can certainly do that with any rule manager or a sed command. I don’t personally have any recommendations for rules to enable that are disabled by default without some specific requirement, as they’re usually disabled for a reason.

1 Like

Ah, I see so you have a wide range of different applications, and as such you comment out the rules so that people can choose which ones to use.

In this case, what would you recommend for protecting Windows 10 computers in an office environment.

Well, to be clear, not all ET rules are commented out, but the new rules are always added to the bottom of the rule files each day. If you’re just looking at the beginning, it may appear that all the rules are commented out as those are the oldest rules in that particular file.

If you have the time and are able, I would recommend enabling all the rule files initially and take a few days to determine what you are dealing with on the network. I don’t know your network and I know from experience that I have found things on the network that I didn’t know were there. If you know that you are not going to have web servers behind the IDS, then you probably don’t need the WEB_SERVERS rule file enabled. Once you see what the logs are generating, you can start tuning down from there.

Much of IDS perception is that ALERT==BAD THING, but much of what we do with the ET ruleset is to try to give you a highlighter for your network traffic. When something happens, we want you to be able to look at the logs and be able to tell a story quickly and as accurately as possible. I find that the INFO and HUNTING rulesets are extremely useful, but some users dont want the noise. YMMV

1 Like