[Snort-users] Fine tuning Snort

James Lay jlay at ...13475...
Fri Oct 8 08:24:09 EDT 2010


Thanks Waldo,

It's been quite interesting...I have at least four rules that look for
executables...and as I look at the threshold file I can only threshold
against one IP at a time...meaning I've got a lot of work to do as I have
to add pretty much most of google and windowsupdate.com ;)  Even thought
I'm tempted to simply start snort to not monitor those netblocks, eh...I'd
rather do the right thing.

Thanks again for the help.

James


On 10/7/10 10:23 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:

>On 10/7/2010 14:02, James Lay wrote:
>> Kevin and Waldo, you gents are treasuresŠI will get to work and report
>>my
>> resultsŠthank you much!
>
>something else to thing about concerning rules that you would just
>totally 
>suppress in threshold.conf... if they are completely suppressed then you
>might 
>as well comment them out of the rules set so they do not consume any
>memory and 
>snort won't waste any time loading them just to be ignoring them... but i
>guess 
>this also depends on your tools and management systems... some may use
>only 
>threshold to "disable" rules where others may actually comment them in
>the rules 
>sets files... personally, i think the threshold file is best to suppress
>certain 
>rules for certain IPs... total suppression is the same as disabled so...
>;)
>
>--------------------------------------------------------------------------
>----
>Beautiful is writing same markup. Internet Explorer 9 supports
>standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
>Spend less time writing and  rewriting code and more time creating great
>experiences on the web. Be a part of the beta today.
>http://p.sf.net/sfu/beautyoftheweb
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list