[Snort-users] Rule efficiency

Alex Tatistcheff alext at ...492...
Tue Sep 7 10:43:37 EDT 2010

On Mon, Jul 26, 2010 at 3:09 PM, Isherwood, Jeffrey - IS <
Jeffrey.Isherwood at ...14632...> wrote:

> LoL ;) well, while the outside hosts should not make it past the firewalls
> etc...
> I'd like to know that they are trying... so I am looking for traffic
> bi-directionaly.
> I do not have access to the DNS servers... and since many of the domains
> I'm chasing are dynamic...
> without access to DNS I'm stuck watching for content...
> And yes... even if the domains are down, I'm very interested in hosts
> internally that might be looking
> for crappydomain.com and it's friends
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...]
> Sent: Monday, July 26, 2010 3:38 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Rule efficiency
> > a quick question concerning your task... is this concerning sites that
> you host/hosted so
> > you are looking for inbound traffic to them or are these sites that the
> corporate entity has
> > placed "out of bounds" and you are looking for outbound traffic to them?
> > if the sites were hosted and are no longer available, what is the
> reasoning for looking for
> > traffic headed to them? why not just dump the DNS entries for them and
> close up the sites...
> > if they're down, what does it matter that something out there is using an
> old list... hummm...
> > unless maybe they were C&C centers and one is now attempting to find the
> culprit botherder... hummm...
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the
> sender.
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://ad.doubleclick.net/clk;226879339;13503038;l?
> http://clk.atdmt.com/CRS/go/247765532/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Alex, you mentioned regarding the fast pattern matcher that "the patterns
used are based on the port used in the rule."  Is this just the destination
port, source port or source/destination combination?


Alex Tatistcheff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100907/52b7c089/attachment.html>

More information about the Snort-users mailing list