[Snort-users] [Emerging-Sigs] weirdness

Will Metcalf william.metcalf at ...11827...
Tue Aug 17 00:00:37 EDT 2010


> Correct... the pattern group will be selected based on the ports.
> Through our many years of research, we've found that qualifying
> rules based on pattern, then individual rule options, then by
> IP addrs & UDP/TCP hdr ports is most efficient in terms of speed
> and memory efficiency.

Ok just need clarification.  Thanks Steve..

> And, typically, you won't see traffic on your link unless its very
> closely related to your IP or subnet.  Otherwise, you could snoop
> everyone's in & outbound traffic across the entire ISP, etc.

I was thinking more for an organization that has say a /24 or
something where their public address space may share the same public
address space as the NAT's for their client traffic, and their sensor
is watching say watching the public interface of their fw.  I think
this scenario is pretty common.

> This almost sounds like a matter of tuning the ruleset for where Snort
> is deployed....

It is indeed.  Thanks again.  I guess rule writers just need to keep
this in mind when writing sigs.

Regards,

Will




More information about the Snort-users mailing list