[Snort-users] Rule Selection

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at ...11338...
Thu Feb 10 03:54:30 EST 2005


Depends on what your're looking for.  I run some snort sensors "wide open" in order to monitor and profile all the attacks that are occuring.  In other cases, only selected rules are enabled.
 
For example, if your firewall only allows Port 80 traffic, then running snort with "all" the rules behind the firewall will alert you to other traffic that might be "leaking" through.
 

	-----Original Message----- 
	From: snort-users-admin at lists.sourceforge.net on behalf of Rudi Starcevic 
	Sent: Thu 02/10/2005 01:30 PM 
	To: snort-users at lists.sourceforge.net 
	Cc: 
	Subject: [Snort-users] Rule Selection
	
	

	Hi,
	
	A colleague of mine suggested to me that a machine with only port 80
	open ( www server ) one should only use www Snort rules.
	That would mean not using alot of available rules for intrusion
	detection, is that wise ?
	
	Thanks
	Best regards
	Rudi
	
	
	
	
	-------------------------------------------------------
	SF email is sponsored by - The IT Product Guide
	Read honest & candid reviews on hundreds of IT Products from real users.
	Discover which products truly live up to the hype. Start reading now.
	http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
	_______________________________________________
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
	https://lists.sourceforge.net/lists/listinfo/snort-users
	Snort-users list archive:
	http://www.geocrawler.com/redir-sf.php3?list=snort-users
	



More information about the Snort-users mailing list