[Snort-users] Rule performance profiling question
wkitty42 at ...14940...
Thu Sep 16 00:33:36 EDT 2010
On 9/15/2010 21:53, Joel Esler wrote:
> Which environment is that?
not one of the common "today" OS setups... it is a dedicated firewall appliance
that is available via commercial or FOSS... for the FOSS version, one downloads
an ISO, burns it and installs it to an old (as in dumpster diving age) computer
with up to 4 NICs in it... originally it started out as an extremely stripped
redhat but has moved on to become its own distribution... IIRC, we're up to
kernel 2.16.60... it is "tried and true" and any holes are known and patched ;)
when we first attempted to use the SO rules, we had to try several different
ones until we found one that was compatible and didn't crash the machine... IIRC
we had to use the Centos-4.6 ones but that was a year ago and i'm not sure which
kernel was being used at that time... in fact, my kernel version above is
actually behind by one or two due to development issues preventing my applying
the latest updates to my boxen but as soon as i get these mods completed, tested
and out the door, i plan on moving up to the latest fixpack and whatever kernel
as an aside, it has taken another person the entire past year to bring the FOSS
version up to the "latest and greatest" versions of everything... kernel,
drivers, toolchains, apps, etc... but it is extremely experimental and deity
knows what security holes the latest versions of everything may have in them
compared to what was being used... yes... extremely experimental and definitely
not for the faint of heart to play with... even with the most up to date
versions that compile and work together without breakage... i think they're
still beating up on openswan and i'm not sure they'll get it operational...
that's kinda one that is expected to end up in the bitbucket... seems that even
the openswan folk don't know how it works any more :/
> On Wednesday, September 15, 2010, waldo kitty<wkitty42 at ...14940...> wrote:
>> On 9/15/2010 18:36, Joel Esler wrote:
>>> Both are SO rules.
>> ahhh... ok so they are GID 3 which i'm not using at this time due to kernel
>> changes in my environment... hopefully you guys will still be releasing SO rules
>> that are compatible with the kernel that my environment is "stuck" using for
>> security reasons...
More information about the Snort-users