Snort Questions

["Sandy Martin" <lists () ironcomet com>]

I have been studying Snort on Windows for a couple of weeks now and have
gotten a pretty good idea of how it works and how to deploy it.

If it ok, I would like to ask a couple of questions to clarify a couple of
points.

First, after looking through the rules, I noticed a wide variety of rules
for a cross section of platforms. I understand that they were written that
way on purpose. My question is, is it ok to go through and edit these rules
to remove all of the *nix related stuff? Our network is composed of 20
nodes. All Windows 2000 with 1 Windows 2000 Server. The server is a DC but
not a web/mail, etc. server. So, I was thinking that to improve performance
and reduce false positives, I could go through and edit the rules leaving
only the Win32 stuff in. Is this a good route to go?

The second question is as follows. Given the pretty basic network setup
described above, can someone give my a good idea of which rules are good to
start with (before I get into editing them)? Obviously, some like X11 and
web-coldfusion would not be necessary. What would be a good starting point?
Any input here?

Thank you to anyone that is able to help.

Sandy
Low man on the totem pole



-------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users