[Snort-users] 2.6.1 and LOOOONG startup times plus more ignore_scanners info

Nigel Houghton nigel at ...1935...
Fri Nov 17 11:59:01 EST 2006


On  0, James Lay <jlay at ...13475...> wrote:
 
> include $RULE_PATH/local.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> 
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> 
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/mysql.rules
> 
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/pop3.rules
> 
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/shellcode.rules
> include $RULE_PATH/policy.rules
> include $RULE_PATH/porn.rules
> include $RULE_PATH/info.rules
> include $RULE_PATH/icmp-info.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/spyware-put.rules
> include $RULE_PATH/experimental.rules
> 
> include $RULE_PATH/bleeding-botcc.rules
> include $RULE_PATH/bleeding-drop.rules
> include $RULE_PATH/bleeding-dshield.rules
> include $RULE_PATH/bleeding-virus.rules
> include $RULE_PATH/bleeding-web.rules
> include $RULE_PATH/bleeding-attack_response.rules
> include $RULE_PATH/bleeding-dos.rules
> include $RULE_PATH/bleeding-exploit.rules
> include $RULE_PATH/bleeding-game.rules
> include $RULE_PATH/bleeding-inappropriate.rules
> include $RULE_PATH/bleeding-malware.rules
> include $RULE_PATH/bleeding-scan.rules
> include $RULE_PATH/bleeding.rules
> 
> include $RULE_PATH/community-bot.rules
> include $RULE_PATH/community-dos.rules
> include $RULE_PATH/community-exploit.rules
> include $RULE_PATH/community-game.rules
> include $RULE_PATH/community-icmp.rules
> include $RULE_PATH/community-imap.rules
> include $RULE_PATH/community-inappropriate.rules
> include $RULE_PATH/community-mail-client.rules
> include $RULE_PATH/community-misc.rules
> include $RULE_PATH/community-smtp.rules
> include $RULE_PATH/community-sql-injection.rules
> include $RULE_PATH/community-virus.rules
> include $RULE_PATH/community-web-attacks.rules
> include $RULE_PATH/community-web-client.rules
> include $RULE_PATH/community-web-dos.rules
> include $RULE_PATH/community-web-misc.rules
> include $RULE_PATH/community-web-php.rules
 
Do you *really* want to enable *every* rule in *every* ruleset you can find? 

You might want to start by trimming down the rules you want to use, then
go into each rule file and trim that down to individual rules you want to use.

--
Nigel Houghton
Office Linebacker
SF VRT




More information about the Snort-users mailing list