[Snort-users] Fine tuning Snort

waldo kitty wkitty42 at ...14940...
Fri Oct 8 12:45:18 EDT 2010

On 10/8/2010 08:24, James Lay wrote:
> Thanks Waldo,
> It's been quite interesting...I have at least four rules that look for
> executables...and as I look at the threshold file I can only threshold
> against one IP at a time...meaning I've got a lot of work to do as I have
> to add pretty much most of google and windowsupdate.com ;)

you should be able to use CIDRs for blocks of IPs... you can also put them 
together on one line... i was not sure which way to do this would be the best so 
i asked in here (i think) a week or so back... the basic consensus was one IP 
per line is easier to manage... you only have to comment out or delete that one 
line when it is no longer needed and adding one is as simple as copying an 
existing one and changing the IP...

> Even thought I'm tempted to simply start snort to not monitor those
> netblocks, eh...I'd rather do the right thing.

i know that feeling... it is like accepting DNS data from an external DNS server 
but do you really want to accept and trust ALL traffic from that server? not 
especially if it starting coming from that server without being requested first 
;) so a threshold suppressing some DNS related GIDs/SIDs for that server's IP 
comes in handy and allows you to not get overrun by that stuff but still be able 
to monitor for other stuff from the same IP...

More information about the Snort-users mailing list