[Snort-sigs] rules vs. thresholding

Lee Clemens snort at ...3020...
Sat Mar 19 11:47:08 EST 2005


Hello everyone,

I just wrote a bunch of rules to watch for traffic with invalid IP addresses
(in private network space).

To jump over my own smaller network (/26) it took about 21 rules (including
1 each for 172.16/12 and 192.168/16)

But my question is this: Would it have been better to simply write SUPPRESS
rules and specify my network in track by_src and track by_dst, or to keep
these many rules that include every private network except my own.

To clarify, my question has more to do with what is more CPU intensive or
more likely to cause dropped packets, etc... (having a lot of packets alert
and then get suppressed, or a lot of rules that aren't triggered very
often).

Thanks :)






More information about the Snort-sigs mailing list