[Snort-users] Rule Selection
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Thu Feb 10 02:03:07 EST 2005
--On 10 February 2005 10:30 -0800 Rudi Starcevic <tech at ...12014...> wrote:
> A colleague of mine suggested to me that a machine with only port 80 open
> ( www server ) one should only use www Snort rules.
> That would mean not using alot of available rules for intrusion
> detection, is that wise ?
As I understand Snort's workings, in this scenario the non-port 80 rules
will only get run if Snort sees non port 80 traffic - i.e. there is little
or no performance overhead in having other rules enabled if there's no
traffic that gets past the basic host/port filters.
If anyone who's read the code reckons I'm wrong, feel free to correct me.
> Best regards
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users