[Snort-users] Rule performance profiling question

waldo kitty wkitty42 at ...14940...
Thu Sep 16 00:33:36 EDT 2010


On 9/15/2010 21:53, Joel Esler wrote:
> Which environment is that?

not one of the common "today" OS setups... it is a dedicated firewall appliance 
that is available via commercial or FOSS... for the FOSS version, one downloads 
an ISO, burns it and installs it to an old (as in dumpster diving age) computer 
with up to 4 NICs in it... originally it started out as an extremely stripped 
redhat but has moved on to become its own distribution... IIRC, we're up to 
kernel 2.16.60... it is "tried and true" and any holes are known and patched ;)

when we first attempted to use the SO rules, we had to try several different 
ones until we found one that was compatible and didn't crash the machine... IIRC 
we had to use the Centos-4.6 ones but that was a year ago and i'm not sure which 
kernel was being used at that time... in fact, my kernel version above is 
actually behind by one or two due to development issues preventing my applying 
the latest updates to my boxen but as soon as i get these mods completed, tested 
and out the door, i plan on moving up to the latest fixpack and whatever kernel 
it contains...

as an aside, it has taken another person the entire past year to bring the FOSS 
version up to the "latest and greatest" versions of everything... kernel, 
drivers, toolchains, apps, etc... but it is extremely experimental and deity 
knows what security holes the latest versions of everything may have in them 
compared to what was being used... yes... extremely experimental and definitely 
not for the faint of heart to play with... even with the most up to date 
versions that compile and work together without breakage... i think they're 
still beating up on openswan and i'm not sure they'll get it operational... 
that's kinda one that is expected to end up in the bitbucket... seems that even 
the openswan folk don't know how it works any more :/

>
> On Wednesday, September 15, 2010, waldo kitty<wkitty42 at ...14940...>  wrote:
>> On 9/15/2010 18:36, Joel Esler wrote:
>>> Both are SO rules.
>>
>> ahhh... ok so they are GID 3 which i'm not using at this time due to kernel
>> changes in my environment... hopefully you guys will still be releasing SO rules
>> that are compatible with the kernel that my environment is "stuck" using for
>> security reasons...




More information about the Snort-users mailing list