Snort mailing list archives
RE: Database Plugin - Alert vs. Log
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 02 Dec 2002 11:32:09 -0600
On Mon, 2002-12-02 at 11:20, L. Christopher Luther wrote:
Always an option, but then again, that's what the portscan plugin is for. Why reinvent the wheel? Better have the portscan plugin normalized to produce consistent output.
I would call it reinventing the wheel if it were redundant. In my opinion, it is not, because the approach is different. Using rules over the port scan plugin give you finer control. It also makes you having to learn your network layout, which is always a plus :) I see too many folks deploying Snort that don't know what their network looks like. You really need to get a handle on your network first before you deploy an IDS. The argument that the IDS is there so you don't have to know whats behind your network, is imho flawed. Maybe I just love to use customized rules... :) Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Database Plugin - Alert vs. Log L. Christopher Luther (Nov 27)
- Re: Database Plugin - Alert vs. Log Erek Adams (Nov 27)
- <Possible follow-ups>
- RE: Database Plugin - Alert vs. Log L. Christopher Luther (Nov 27)
- RE: Database Plugin - Alert vs. Log Frank Knobbe (Nov 27)
- RE: Database Plugin - Alert vs. Log L. Christopher Luther (Dec 02)
- RE: Database Plugin - Alert vs. Log Frank Knobbe (Dec 02)