[Snort-users] Rules optimization
erek at ...950...
Fri Jun 20 08:22:06 EDT 2003
On Fri, 20 Jun 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:
> 1. I have multiple subnets in the segment where i'm monitoring the data. is
> it possible to add multiple segments in HOME_NET
var HOME_NET [10.10.10.0/24,10.20.20.0/24]
If you do that, try and use the best CIDR notation that you can. The more
subnets you have listed the more impact it will have on the speed of the
> 2. if i add my subnets to HOME_NET, will it be able to capture both
> attaks coming into my network as well as attaks being generated from my
> Network. I'm basically monitoring company's internal network and
> interested in both.
Well, that depends on how you have EXTERNAL_NET set. Quite a few of the
rules are setup like EXTERNAL_NET -> HOME_NET. You have two options:
var HOME_NET any
var EXTERNAL_NET any
Or run two instances of Snort. One with a 'incoming' config, and then one
with an 'outgoing' config.
I'll warn you now, you'll see so many false positives using the any,any
thing that it'll make you crazy.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users