[Snort-users] icmp pass rules

Stephen Reese rsreese at ...11827...
Tue Oct 28 09:31:45 EDT 2008


> Yes.  My calc was not accurate but you get the idea.  You could also use
> a custom variable defined to your 'specific' addresses saving the
> increased config settings.  $MY_HOSTS for instance.
>

It doesn't seem like you can use variables for suppression but that's
not a big deal.

>
> I'm just offering an idea, and wondering why you wouldn't do this?
>
> I think what is tedious is actually flexibility, since you are not
> forced to have 'a' sensor in 'a' location, you can have multiple sensors
> that obviously could be fed more specific activity.
>
> Typically I find getting your 'settings' for each sensor to be as
> specific as possible;
>
> -reduces false positives
> -reduces alert activity to specific issues.
> -allows our management interface to view more specific activity based on
> granular approach.  For instance a change to our web servers doesn't
> affect our desktops, etc..
>
> Maybe separate sensors, one for each net would be a better approach?
> --
> James Friesen, CIO
> Lucretia.ca
> ¨Our World Is Here...¨
> http://lucretia.ca
> info at ...2282...
>

I believe your logic is correct. A sensor for each network would be
rather cumbersome not to mention expensive due to the additional
hardware requirements.




More information about the Snort-users mailing list