wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:firewall:ips:rulesets

Rulesets

There are currently the following rulesets available:

Free Rulesets

Emerging Threats Community Ruleset

They are free and community-maintained rules (further information) and cover scanning activities, attack patterns agains various protocols, blacklists and more. No registration is required to use those rules.

Talos ruleset for registered users

These rules are usually more than 30 days old and can be used for free. Registration is required. Usually, the quality of these rules is a bit better than these of the Emergingthreats.net Community Rules.

Snort/VRT GPLv2 Community

These are free and GPL licenced snort rules. Usually, the quality is good. Accoding to the Snort blog, no registration is required.

Commercial Rulesets

Talos ruleset for users with subscription

Same as above, but they are chargeable and more current. These might be useful in productive environment, where you need reliable and up-to-date IDS rules.

Emerging Threats Pro (Proofpoint) Ruleset

The Emerging Threads Pro is a timely and accurate rule set for detecting and blocking advanced threats. It will be daily updated and covers more than 40 different categories of network behaviors, malware command and control, DoS attacks, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, exploit kit activity, and more.

Which ruleset is right for me?

There is no clear answer to this and it might depend on many circumstances.

Large Company/Organisation

Please consult with your security consultants which ruleset you need. You are quite likely to need a commercial, large and up to date ruleset.

Medium-sized Business/Organisation

Consider if you need a cyber security team, but the minimum would be a commercial ruleset with a large number of rules enabled.

Small Business/Organisation

Consider the consequences of a compromise. If they are serious, either to you or to someone else (don't forget your responsibilities under the GDPR), you should be using the Talos ruleset for users with subscription, otherwise you may get by with either Talos ruleset for registered users or Emerging Threats Community Ruleset.

Home Use

The Emerging Threats Community Ruleset is probably sufficient, but you could use the Talos ruleset for registered users. A policy of Balanced-between-Security-and-Connectivity is probably sufficient. If you volunteer for a charity or similar and as a consequence keep either personal or financial information on your home network, you should consider the Talos ruleset for users with subscription, but you should be eligible for the personal use licence, which is much cheaper.

configuration/firewall/ips/rulesets.txt · Last modified: 2019/04/13 11:09 by Stefan Schantl