Snort mailing list archives

RE: Database Plugin - Alert vs. Log

From: Frank Knobbe <fknobbe () knobbeits com>
Date: 02 Dec 2002 11:32:09 -0600

On Mon, 2002-12-02 at 11:20, L. Christopher Luther wrote:

Always an option, but then again, that's what the portscan plugin is
for.  Why reinvent the wheel?  Better have the portscan plugin
normalized to produce consistent output.



I would call it reinventing the wheel if it were redundant. In my
opinion, it is not, because the approach is different. Using rules over
the port scan plugin give you finer control.

It also makes you having to learn your network layout, which is always a
plus :)  I see too many folks deploying Snort that don't know what their
network looks like. You really need to get a handle on your network
first before you deploy an IDS. The argument that the IDS is there so
you don't have to know whats behind your network, is imho flawed.

Maybe I just love to use customized rules... :)

Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Database Plugin - Alert vs. Log L. Christopher Luther (Nov 27)
- Re: Database Plugin - Alert vs. Log Erek Adams (Nov 27)
- <Possible follow-ups>
- RE: Database Plugin - Alert vs. Log L. Christopher Luther (Nov 27)
  - RE: Database Plugin - Alert vs. Log Frank Knobbe (Nov 27)
- RE: Database Plugin - Alert vs. Log L. Christopher Luther (Dec 02)
  - RE: Database Plugin - Alert vs. Log Frank Knobbe (Dec 02)