Snort mailing list archives
Re: Newbie questions are as newbie questions does
From: Erek Adams <erek () snort org>
Date: Tue, 8 Apr 2003 10:09:21 -0500 (EST)
On Mon, 7 Apr 2003, Geoff Craig wrote:
In a "theoretical" deployment, say you had one Snort box that was monitoring traffic going to 3 boxes, 2 real web servers, and 1 honeypot. So, I have a rule that alerts on all port 80 traffic going to the honeypot, but just the web-iis.rules for the other 2 web servers. Will the rule that logs all port 80 traffic cause the web-iis.rules to not be fired when going to the honeypot? If I need to be more in depth let me know. In other words, what happens if two rules happen to be a positive for a certain packet or stream? If only one fires how can you control which one?
If you're going to 'log' all traffic going to port 80 on your honeypot, I'd suggest using Tcpdump instead of Snort. If all you want is to log packets, there's no real need to use the extra overhead of Snort. Granted, you'll need to change the snaplen with Tcpdump to get the entire packet. That would eliminate the overhead of the rule engine and such. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie questions are as newbie questions does Geoff Craig (Apr 07)
- Re: Newbie questions are as newbie questions does Michael L. Artz (Apr 07)
- Re: Newbie questions are as newbie questions does Erek Adams (Apr 08)