|
The rules that are in use should wind up in a place like /etc/snort/rules. When I looked at the file snortrule-snapshot, which was used to initially compile snort, the zip file contained the list of rules that goes into the aforementioned directory. What I noticed, when I looked in response to your question, is that many rules, but not all are commented out. I think that there a few foreces at work here. One Snort tends to generate a lot of false positives and the rules are very much in flux. I suspect that when rules are updated that old rules are simply commented out rather than deleted. Two, Snort is fairly CPU intensive in it's processing and the more rules that is it trying to compare against, the more worse it gets. Consequently, I think the developers try to achieve a good balance between rules that are effective and having too many rules.
Ultimately, to make the very best use of snort, you will likely need to learn to write rules and match them to the special cases of your system. Until then, the base snort rules, plus those from emerging threats should give you a pretty solid base to work with.
|
