[Snort-users] Rule efficiency

Alex Kirk akirk at ...1935...
Fri Jul 23 16:17:34 EDT 2010


Yes, that is correct.

On Fri, Jul 23, 2010 at 4:12 PM, Isherwood, Jeffrey - IS <
Jeffrey.Isherwood at ...14632...> wrote:

>  If it turns out that mgmt DOES want just web traffic, the use of the
> http_header will tell the sensors to stop alerting on the content on pages
> then correct?  I have been getting false positives where a user visits a
> page with a link or mention of “crappydomain.com” on it and that visit
> sets off the alert…
>
>
>
>
>
> *Jeffrey Isherwood, **CISSP, C|EH** **   *
>
> Computer Security Analyst | Enterprise Protection & Planning
>
> Information Systems | Information Protection & Sharing
>
>
>
> *From:* Alex Kirk [mailto:akirk at ...1935...]
> *Sent:* Friday, July 23, 2010 3:01 PM
>
> *To:* Isherwood, Jeffrey - IS
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Rule efficiency
>
>
>
> For what it's worth, the use of the fast_pattern keyword when there's a
> single content clause is actually unnecessary. The fast pattern matcher by
> default chooses the longest string available out of a rule, and if you've
> only got one string, well, it'll choose that every time.
>
>
>
> Good luck with your management quandary.
>
> >On Fri, Jul 23, 2010 at 2:33 PM, Isherwood, Jeffrey - IS <
> Jeffrey.Isherwood at ...14632...> wrote:
>
> >
>
> >Thanks for the reply Alex…  For reasons that I can’t go into, I am not
> able to check the DNS queries (alas, that was my original thought as well).
>
>
>
> ------------------------------
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the
> sender.
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100723/0a277915/attachment.html>


More information about the Snort-users mailing list