Preprocessor rules and variable question

[Armindo Rodrigues via Snort-users <snort-users () lists snort org>]

Hi all. A few quick questions regarding tuning.

I have a lot of events generating from a bunch of preprocessor rules. What
are best practices when investigating these events and with tuning? Are hey
treated like normal snort events? Are there some that I shouldn’t worry
about? Are some only worrysome if accompanied by another rule? I came from
a place that previously turned off all alerting for preprocessor rules and
that doesn’t seem right to me.

Regarding variables

How do you guys have your default catch all policy variable for home_net?
I’m working on creating policies and rules for each network segment based
specific up ranges and network objects. How should I set the catch all
default? Would it be something like home_net = all rcf 1918 addresses in
the event none of the other more specific rules catch the traffic?

Thanks for any help.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!