kawaiipantsu
commented
1 year ago Hi @gotspatel,
Well it depends on your setup and resources. SA as we all know can be a bit memory and CPU hungry when it has to processing many rules - Even though SA compiles the rules to make it faster. So my fist suggestion would be to always start out with the last 7 days etc. And see how SA handles that and if all runs as it should. Then you should try the 30 days setup.
Also it's important to remember that the "fresh" part of the list will always be the last 24 hours (let's say you update those rules every 24hour) so in theory you should update every day the rules with a fresh fetched DB from phishtank and then build the 7 and 30 day rules.
Then use these questions to help you choose: 1) The time/downtime it gives refreshing SA with new rules (Could be you cant afford SA to be down for more than 15min etc) 2) The resource amount SA takes after restart (Mem+CPU load might increase more than expected) 3) The need to have IOC's a month old ( Many old/confirmed IOC/URLS are blocked by browsers and no used anymore by threat actors) 4) Can SA keep up with the scanning's, not holding back/delaying mail etc (Perhaps we need more SA threads or less rules)
I hope that helps you on what to choose... Again, short answer - 7 days first, then 30 days if you can.
Thank you for this useful feature update
Please excuse my ignorance but which all the rules should be used with SA in production environment. 7 days, 30 day or all
please advise
Regards