[Snort-users] rules vs. suppress

Salil D. salildumbre at ...3390...
Wed Mar 23 22:04:49 EST 2005


  
Hi there,

I had been sniffing into your mails
a coincidence, I am stuck at snort.conf and writing of rules
I wrote a few of them for TCP and ICMP
the signature table gets updated 
Kindly, please let me know about snort.conf and rules
and also about multiple sensors

Salil.



On Thu, 24 Mar 2005 Lee Clemens wrote :
>That all makes sense, but a serious caveat...what suppress statement
>wouldn't cause the rule to be pointless? (alert any any <> 10/8 any)
>
>If the rule says alert when the ip is 10.* and I write a suppress for
>by_src $HOME_NET and again
>by_dst $HOME_NET,
>
>Then any illicit traffic will be suppressed if it is sent to one of my
>computers or from one of my computers to one of these non-existent
>(shouldn't be) addresses (exactly what I don't want, and the reason for the
>rules in the first place).
>
>Am I overlooking a simple solution for this?
>
>
>-----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jeremy Hewlett
>Sent: Wednesday, March 23, 2005 4:52 PM
>To: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] rules vs. suppress
>
>On Mon, Mar 21, Lee Clemens wrote:
> >
> > But my question is this: Would it have been better to simply write
>SUPPRESS
> > rules and specify my network in track by_src and track by_dst, or to keep
> > these many rules that include every private network except my own.
>
>By adding these 21 rules, you're increasing the inspection time. Each
>packet that comes in will be evaluated sequentially against these
>rules. Suppression is a better choice, it's a simpler execution path,
>and you're not adding any additional rules.
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
>Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
>Embedded(r) & Windows Mobile(tm) platforms, applications & content.
>Register
>by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
>Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
>Embedded(r) & Windows Mobile(tm) platforms, applications & content.  Register
>by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050323/0996aa2a/attachment.html>


More information about the Snort-users mailing list