Designing a Targeted Ruleset

There may come a point where you would want to develop a targeted ruleset that will alert only on services and hosts that actually exist. The targeted ruleset has rules enabled only for services that are present on your network. If a rule does not match a service existing on a host, it is disabled. This activity can trim the ruleset's size considerably. With a targeted ruleset, you are less likely to discover attempted attacks. The hacker would have to attempt to attack a legitimate service on a legitimate host to be noticed by Snort.

There are a number of different conditions where a targeted ruleset is appropriate. If you have placed a sensor on the internal side of a firewall, you may want to develop a targeted ...

Get Intrusion Detection with Snort now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.