[Snort-users] Disable all rules for a platform?

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Wed Jun 27 13:17:49 EDT 2001


I wanted to get everyone's opinion on this. Does anyone recommend shutting
off all rules for a certain platform if they don't have that platform in
their environment? For example, if I have an all-Unix environment, does
anyone out there disable all Microsoft related rules? I mean if a hacker
can't detect what OS I'm running on my web servers and throw attacks at it
that are for another platform, then they aren't very good hackers anyway and
really aren't much of a threat. I figure that Snort needs every cycle it can
get so why not get rid of all rules applying to platforms I don't have?

The second question is, if I did want to disable checks for a platform, it
doesn't appear to be an easy task.....it looks like all rules are mixed
together throughout the rules files.

Any feedback would be appreciated!



More information about the Snort-users mailing list