[Snort-users] icmp pass rules

Stephen Reese rsreese at ...11827...
Fri Oct 24 13:21:29 EDT 2008


So if I plan on filtering a host or subnet then use suppression
otherwise stick to pass?

I'm trying to keep in mind down the road after the pass/suppression
rules start building up there will be performance implications so I'm
trying to start off smart so I don't have to go through and rewrite a
bunch of rules...

On Fri, Oct 24, 2008 at 12:59 PM, Frank Knobbe <frank at ...9761...> wrote:
> On Fri, 2008-10-24 at 09:14 -0400, Stephen Reese wrote:
>> The real question is why do pass rules even exist if you could use
>> suppression instead and not have the performance penalty.
>
> Because you can be way more specific with pass rules (icode, dsize,
> content, etc) whereas with suppressions, you can only filter by *one* IP
> address and SID.
>
> -Frank
>
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
>
>




More information about the Snort-users mailing list