In snort.conf, I see a lot of rules files that are commented out, also important ones like backdoor.rules, dos.rules, etc. How do you decide which lines you should uncomment? I feel like I would uncomment every line. After all, any alert could be important and you can decide how to triage them after you received them.
How do security people decide which rules they enable?
I hope all is well. Great question !! Tools like Snort are complex, as they allow us to potentially monitor traffic flows across the entire depth and breadth of an enterprise, generating HUGE volumes of potential data in the process.
The challenge with a tool such as Snort (whether IDS or IPS, or even IDPS), is to figure out what you are asking about, which is to say, "What is the protection profile I am looking to align with and build/monitor for in my enterprise?"
This is actually a much more complex undertaking then most people understand, as you have to step back and plan first, test second, refine/adjust third, and then consume data fourth, and finally, iterate the process on a consistent schedule to ensure updates and new issues/concerns are being addressed as they appear/emerge/are identified (ATP's, Zero Day's, additional business requirements, compliance concerns, etc...)
What I tell most of my customers as I work with them to stand up IDPS solutions such as Snort or others, is that you should start small, and then incrementally add capacity and capabilities to match your needs, but only as your comfort level and abilities to consume and use the data they will produce grow.
What you DO WANT is a situation where you are not OVERWHELMED BY A DATA AVALANCHE, leading to what we call "Decision Paralysis" due to too many inputs and too much information flooding the system at once, or over a very short period of time, to be useful.
What you DO NOT WANT is a situation, conversely, where you are UNDERWHELMED BY THE LACK OF ACTIONABLE DATA, leading to gaps in your monitoring and security postures/perimeters, and as a result, potential blind spots that adversaries can exploit to hide within and ultimately do harm from.
Start with the default settings and rules, run a 3 day cycle on your test area of your network, and see what you get. Take the time to analyze the output and understand what is, but also what is not there. From that baseline, you will be much better armed to make the next set of decisions, in consultation with senior leadership/security/risk management functions in the business about what additional areas to enable focus on, allowing you to incrementally build a protection profile that is tailored to the needs of the business.
Good Luck !!!
Cheers,
Adam