There is no way to download a pre-packaged, out-of-the-box ruleset tailored perfectly to a specific environment right from the start.

While the Talos Subscriber ruleset gives you rapid, premium threat updates, even those rules default primarily to alert actions. This is intentional; if a ruleset dropped traffic by default, it would instantly break legitimate services on a home network the moment a false positive triggered.

PulledPork is exactly the tool you need to change this behavior, but its base policies (Connectivity, Balanced, and Security) are only the starting point. To move from passive alerts to active blocking (drop actions), you need to configure PulledPork to rewrite the rule states for you.

Building a custom ruleset that matches your specific network profile will take a little work, but here is the general approach to get you started:

1. Enable Inline Dropping in Snort

First, make sure Snort is actually configured to drop traffic. If Snort isn't running in inline mode (using DAQ modules like afpacket or nfq), changing the rules to drop won't do anything—it will still only log an alert. you need to ensure your execution mode supports blocking.

2. Leverage PulledPork's Modification Files

Instead of editing the massive ruleset manually every day (which gets overwritten on every update), you use PulledPork’s built-in state modification files: dropsid.conf, enablesid.conf, and disablesid.conf.

• dropsid.conf: You can add specific Signature IDs (SIDs) or entire rule categories here. PulledPork will automatically change the action from alert to drop every time it downloads a new update.
• disablesid.conf: Use this to turn off noisy or irrelevant rules (like specific server vulnerabilities if you aren't running those servers at home) to reduce overhead and false positives.

3. Start Small and Tune

Start by using dropsid.conf on highly reliable, high-severity categories (like known malware command-and-control communication or active exploits). Watch your logs closely for a week to catch false positives before expanding your drop list.

Tailoring a ruleset is an iterative process, but utilizing PulledPork to manage the rule modifications is the standard, efficient way to handle it.

You have to set block on alert and inline mode or legacy mode 



About a year ago I installed snort3 and pulledpork on ubuntu 24.04 to provide better protection on my home network.

 

I registered and used the LightSPD_ruleset, rule_mode=simple, ips_policy=balanced

 

Got it all working, and auto updating the LightSPD ruleset everyday.

 

At the start, I was checking the log $ tail -f /var/snort/alert_json.txt to see if it was working.

 

So I felt very happy and secure.

 

Then the other day I checked the log file a bit more and noticed the log file only had alert warnings and no rule actions like block or drop etc.

 

So then I checked the LightSPD_ruleset and noticed that by default the rule actions are all set to alert warnings.

 

Which means I have to monitor the log file and customize the rules myself.

 

While I’d call myself a linux enthusiast, I don’t have the expertise to do that.

 

Is there a way to get a rule set suitable for a home network?

 

I’m thinking there might be a community rule set suitable or pay for a subscribed Talos ruleset.

 

I’m assuming the subscribed ruleset comes with rule actions to provide protection, and instant threat updates.

Are my options correct?

 

Advise please.

PS: I am new to this mailing list.

Peter Lyons

 

_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

   To unsubscribe, send an email to:
   snort-users-leave@lists.snort.org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette