[Snort-users] icmp pass rules
rsreese at ...11827...
Tue Oct 28 09:31:45 EDT 2008
> Yes. My calc was not accurate but you get the idea. You could also use
> a custom variable defined to your 'specific' addresses saving the
> increased config settings. $MY_HOSTS for instance.
It doesn't seem like you can use variables for suppression but that's
not a big deal.
> I'm just offering an idea, and wondering why you wouldn't do this?
> I think what is tedious is actually flexibility, since you are not
> forced to have 'a' sensor in 'a' location, you can have multiple sensors
> that obviously could be fed more specific activity.
> Typically I find getting your 'settings' for each sensor to be as
> specific as possible;
> -reduces false positives
> -reduces alert activity to specific issues.
> -allows our management interface to view more specific activity based on
> granular approach. For instance a change to our web servers doesn't
> affect our desktops, etc..
> Maybe separate sensors, one for each net would be a better approach?
> James Friesen, CIO
> ¨Our World Is Here...¨
> info at ...2282...
I believe your logic is correct. A sensor for each network would be
rather cumbersome not to mention expensive due to the additional
More information about the Snort-users