[Snort-users] rules vs. suppress

Lee Clemens snort at ...13080...
Wed Mar 23 21:50:25 EST 2005

That all makes sense, but a serious caveat...what suppress statement
wouldn't cause the rule to be pointless? (alert any any <> 10/8 any)

If the rule says alert when the ip is 10.* and I write a suppress for 
by_src $HOME_NET and again
by_dst $HOME_NET, 

Then any illicit traffic will be suppressed if it is sent to one of my
computers or from one of my computers to one of these non-existent
(shouldn't be) addresses (exactly what I don't want, and the reason for the
rules in the first place).

Am I overlooking a simple solution for this? 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jeremy Hewlett
Sent: Wednesday, March 23, 2005 4:52 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] rules vs. suppress

On Mon, Mar 21, Lee Clemens wrote:
> But my question is this: Would it have been better to simply write
> rules and specify my network in track by_src and track by_dst, or to keep
> these many rules that include every private network except my own.

By adding these 21 rules, you're increasing the inspection time. Each
packet that comes in will be evaluated sequentially against these
rules. Suppression is a better choice, it's a simpler execution path,
and you're not adding any additional rules.

This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
Embedded(r) & Windows Mobile(tm) platforms, applications & content.
by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list