[Snort-sigs] variable of subnets replacing rules

Lee Clemens snort at ...3020...
Thu Mar 24 16:13:40 EST 2005


That all makes sense, but a serious caveat...what suppress statement
wouldn't cause the rule to be pointless? (alert any any <> 10/8 any)

Then if I write a suppress for 

by_src $HOME_NET and by_dst $HOME_NET, 

any illicit traffic will be suppressed if it is sent to one of my
computers or from one of my computers to one of these non-existent
(shouldn't be) addresses (exactly what I don't want, and the reason for the
rule(s) in the first place).

Am I overlooking a simple solution for this? Or perhaps there isn't one with
the current functionality of suppress and the rules themselves?

Perhaps if I create a new variable in snort.conf to include the 21 subnets
surrounding my $HOME_NET I could say something like alert ip $EXCLUDED_NET
<> $HOME_NET ??? and that would get rid of the problem with so many rules?
(variable loading should be pretty quick to test that rule...)

Anyone with some insight/opinion on this would be greatly appreciated!


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jeremy Hewlett
Sent: Wednesday, March 23, 2005 4:52 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] rules vs. suppress

On Mon, Mar 21, Lee Clemens wrote:
> 
> But my question is this: Would it have been better to simply write
SUPPRESS
> rules and specify my network in track by_src and track by_dst, or to keep
> these many rules that include every private network except my own.

By adding these 21 rules, you're increasing the inspection time. Each
packet that comes in will be evaluated sequentially against these
rules. Suppression is a better choice, it's a simpler execution path,
and you're not adding any additional rules.







More information about the Snort-sigs mailing list