[Snort-users] Sensor overload - Too much traffic for Snort box?

Nigel Houghton nigel at ...1935...
Thu Jun 14 09:37:45 EDT 2007


On 6/14/07 2:19 AM, "Ray H." <snort at ...14147...> wrote:
 
> include /etc/snort/local.rules

Remove this next line:

> include /etc/snort/bleeding-all.rules

If you want to use bleeding stuff, do it like the official snort rule set,
use individual rule file groupings and disable the rules you do not need.

> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> #include $RULE_PATH/scan.rules
> #include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> #include $RULE_PATH/rservices.rules
> #include $RULE_PATH/dos.rules
> #include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> #include $RULE_PATH/tftp.rules
> #include $RULE_PATH/web-cgi.rules
> #include $RULE_PATH/web-coldfusion.rules
> #include $RULE_PATH/web-iis.rules
> #include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> #include $RULE_PATH/x11.rules
> #include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> #include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> #include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> #include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> #include $RULE_PATH/imap.rules
> #include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> #include $RULE_PATH/nntp.rules
> #include $RULE_PATH/other-ids.rules
> #include $RULE_PATH/experimental.rules
> include /etc/snort/threshold.conf

-- 
Nigel Houghton
Office Linebacker
SF VRT





More information about the Snort-users mailing list