[Snort-users] Rule Selection

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Thu Feb 10 02:03:07 EST 2005


--On 10 February 2005 10:30 -0800 Rudi Starcevic <tech at ...12014...> wrote:

> A colleague of mine suggested to me that a machine with only port 80 open
> ( www server ) one should only use www Snort rules.
> That would mean not using alot of available rules for intrusion
> detection, is that wise ?

As I understand Snort's workings, in this scenario the non-port 80 rules 
will only get run if Snort sees non port 80 traffic - i.e. there is little 
or no performance overhead in having other rules enabled if there's no 
traffic that gets past the basic host/port filters.

If anyone who's read the code reckons I'm wrong, feel free to correct me. 
;-)

> Thanks
> Best regards
> Rudi

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list