[Snort-users] Database Plugin - Alert vs. Log

Frank Knobbe fknobbe at ...652...
Mon Dec 2 09:42:37 EST 2002


On Mon, 2002-12-02 at 11:20, L. Christopher Luther wrote:
> Always an option, but then again, that's what the portscan plugin is
> for.  Why reinvent the wheel?  Better have the portscan plugin
> normalized to produce consistent output.  


I would call it reinventing the wheel if it were redundant. In my
opinion, it is not, because the approach is different. Using rules over
the port scan plugin give you finer control.

It also makes you having to learn your network layout, which is always a
plus :)  I see too many folks deploying Snort that don't know what their
network looks like. You really need to get a handle on your network
first before you deploy an IDS. The argument that the IDS is there so
you don't have to know whats behind your network, is imho flawed.

Maybe I just love to use customized rules... :)

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021202/555b8b11/attachment.sig>


More information about the Snort-users mailing list