[Snort-users] Rule efficiency
alext at ...492...
Tue Sep 7 10:43:37 EDT 2010
On Mon, Jul 26, 2010 at 3:09 PM, Isherwood, Jeffrey - IS <
Jeffrey.Isherwood at ...14632...> wrote:
> LoL ;) well, while the outside hosts should not make it past the firewalls
> I'd like to know that they are trying... so I am looking for traffic
> I do not have access to the DNS servers... and since many of the domains
> I'm chasing are dynamic...
> without access to DNS I'm stuck watching for content...
> And yes... even if the domains are down, I'm very interested in hosts
> internally that might be looking
> for crappydomain.com and it's friends
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...]
> Sent: Monday, July 26, 2010 3:38 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Rule efficiency
> > a quick question concerning your task... is this concerning sites that
> you host/hosted so
> > you are looking for inbound traffic to them or are these sites that the
> corporate entity has
> > placed "out of bounds" and you are looking for outbound traffic to them?
> > if the sites were hosted and are no longer available, what is the
> reasoning for looking for
> > traffic headed to them? why not just dump the DNS entries for them and
> close up the sites...
> > if they're down, what does it matter that something out there is using an
> old list... hummm...
> > unless maybe they were C&C centers and one is now attempting to find the
> culprit botherder... hummm...
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Alex, you mentioned regarding the fast pattern matcher that "the patterns
used are based on the port used in the rule." Is this just the destination
port, source port or source/destination combination?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users