[Snort-users] icmp pass rules
frank at ...9761...
Fri Oct 24 12:59:42 EDT 2008
On Fri, 2008-10-24 at 09:14 -0400, Stephen Reese wrote:
> The real question is why do pass rules even exist if you could use
> suppression instead and not have the performance penalty.
Because you can be way more specific with pass rules (icode, dsize,
content, etc) whereas with suppressions, you can only filter by *one* IP
address and SID.
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-users