Update to latest recommended version
Update snort rules (vrt) to latest version
Define and configure HOME_NET and EXTERNAL_NET (objects -> env variables / variable set)
HOME_NET = 192.168.1.0/24
EXTERNAL_NET = not HOME_NET
Create IPS pol with log only action
Apply to ACP rules
Let run for a week
Review for false positives and resolve
Set IP pol to drop action
Test/Review again
Keep going until you can increase security to the max but not generate FP's
You can investigate rules, get the SID
Edit the IPS pol, search the rules for the SID
Look up documentation / CVE
Check for the code which triggers the rule
You can go back to the events, download packets and check what the traffic was, why it hit that rule etc
No comments:
Post a Comment