[Snort-users] redundant rules

Martin Roesch roesch at ...1935...
Thu May 10 16:31:05 EDT 2001


What are your HOME_NET and EXTERNAL_NET variables set to?  Are you
portscanning yourself from the same network that you're monitoring?

   -Marty

> "Watson, Ed" wrote:
> 
> The default rules don't seem to pick up port scans, even obvious ones.
> I thought if I used the vision.rules, that would be more effective,
> and it hasn't. Could redundant rules cause it to not log these events?
> 
> 1166 rules read...
> 1166 Option Chains linked into 257 Chain Headers
> 0 Dynamic rules
> 
> System
>       Dell 1550
>         dual PIII 833
>         1gb ram
>         100baseTX FDX
>     Resource usage
>         Mem .6%
>         CPU  .1%
> OS
>     RH7
> 
> Ed Watson

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-users mailing list