Designing a Targeted Ruleset
There may come a point where you would want to develop a targeted ruleset that will alert only on services and hosts that actually exist. The targeted ruleset has rules enabled only for services that are present on your network. If a rule does not match a service existing on a host, it is disabled. This activity can trim the ruleset's size considerably. With a targeted ruleset, you are less likely to discover attempted attacks. The hacker would have to attempt to attack a legitimate service on a legitimate host to be noticed by Snort.
There are a number of different conditions where a targeted ruleset is appropriate. If you have placed a sensor on the internal side of a firewall, you may want to develop a targeted ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
