[Snort-sigs] [Emerging-Sigs] No real performance penalty?

Joel Esler jesler at ...435...
Wed Jan 11 10:36:29 EST 2012


On Jan 11, 2012, at 6:30 AM, elof at ...1288... wrote:

> Now, the main workload here is the Fast Pattern matching.
> The test to see if the packet is actually coming from src port 23 is only 
> matched on the very few tcp packets that actually contain the pattern 
> "login incorrect".
> 
Right.

> Have I got it right, or is there a major reason why I should not choose to 
> turn the telnet only rule into a general rule?

False positives and alert generation.

You'd be dealing with a ton of alerts instead of only ones on port 23.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120111/b187d147/attachment.html>


More information about the Snort-sigs mailing list