[Snort-users] Rules division, divide, split

Joel Esler (jesler) jesler at ...589...
Tue May 26 15:35:20 EDT 2015


On May 22, 2015, at 3:01 PM, Robert Lasota <wrkilu at ...3879...<mailto:wrkilu at ...3879...>> wrote:

Dnia Piątek, 22 Maja 2015 20:33 Joel Esler (jesler) <jesler at ...589...<mailto:jesler at ...589...>> napisał(a)
Sounds like you are trying to do something oddly clever.   Can you describe what you are trying to do?


Hehe ;) , we don't want to load too much Snort by enabling all rules, this will be IPS for SOHO. So we thought, we'll turn on just malware/virus/browser rules, but sometime when it will be need we'll add rules just for needed apps e.g. SQL server and VOIP, or for HTTP and mail server - thats why..

Are you using OpenAppId to identify sessions for protocols and ports?

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150526/e0acc501/attachment.html>


More information about the Snort-users mailing list