[Snort-users] issue with 2.8.2

Jason Haar Jason.Haar at ...294...
Thu Jun 5 01:23:03 EDT 2008


Steven Sturges wrote:
> Hi Jason--
>
> Couldn't you just use a port list to eliminate the 'allowed'
> DNS queries and the pass rule?  Performance would be much
> better this way.

Yes - I am aware of that, these rules were written a long time before 
snort supported portvar.

However they should still work as is - and they're not. I'm hoping 
someone figures out the bug (or fault on my part - I'm not proud ;-) 
before I rewrite the rules. I'm sure that will fix it - but it will mean 
I've just hidden a remaining problem...

Jason


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list