[Snort-users] Rule efficiency

Alex Tatistcheff alext at ...492...
Tue Sep 7 10:43:37 EDT 2010


On Mon, Jul 26, 2010 at 3:09 PM, Isherwood, Jeffrey - IS <
Jeffrey.Isherwood at ...14632...> wrote:

> LoL ;) well, while the outside hosts should not make it past the firewalls
> etc...
> I'd like to know that they are trying... so I am looking for traffic
> bi-directionaly.
>
> I do not have access to the DNS servers... and since many of the domains
> I'm chasing are dynamic...
> without access to DNS I'm stuck watching for content...
>
> And yes... even if the domains are down, I'm very interested in hosts
> internally that might be looking
> for crappydomain.com and it's friends
>
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...]
> Sent: Monday, July 26, 2010 3:38 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Rule efficiency
>
> > a quick question concerning your task... is this concerning sites that
> you host/hosted so
> > you are looking for inbound traffic to them or are these sites that the
> corporate entity has
> > placed "out of bounds" and you are looking for outbound traffic to them?
>
> > if the sites were hosted and are no longer available, what is the
> reasoning for looking for
> > traffic headed to them? why not just dump the DNS entries for them and
> close up the sites...
> > if they're down, what does it matter that something out there is using an
> old list... hummm...
> > unless maybe they were C&C centers and one is now attempting to find the
> culprit botherder... hummm...
>
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the
> sender.
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://ad.doubleclick.net/clk;226879339;13503038;l?
> http://clk.atdmt.com/CRS/go/247765532/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Alex, you mentioned regarding the fast pattern matcher that "the patterns
used are based on the port used in the rule."  Is this just the destination
port, source port or source/destination combination?

Thanks!

Alex Tatistcheff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100907/52b7c089/attachment.html>


More information about the Snort-users mailing list