Snort mailing list archives
rules vs. suppress
From: "Lee Clemens" <snort () leeclemens net>
Date: Mon, 21 Mar 2005 17:18:56 -0500
I just wrote a set of rules to watch for traffic with invalid IP addresses (in private network space). To jump over my own smaller network (/26) it took about 21 rules (including 1 each for 172.16/12 and 192.168/16) But my question is this: Would it have been better to simply write SUPPRESS rules and specify my network in track by_src and track by_dst, or to keep these many rules that include every private network except my own. My question has more to do with what is more CPU intensive or more likely to cause dropped packets, etc... (having a lot of packets alert and then get suppressed, or a lot of rules that aren't triggered very often). Thanks :) ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules vs. suppress Lee Clemens (Mar 21)
- Re: rules vs. suppress Jeremy Hewlett (Mar 23)
- RE: rules vs. suppress Lee Clemens (Mar 23)
- Re: rules vs. suppress Jeremy Hewlett (Mar 31)
- RE: rules vs. suppress Lee Clemens (Mar 23)
- <Possible follow-ups>
- Re: RE: rules vs. suppress Salil D. (Mar 23)
- Re: rules vs. suppress Jeremy Hewlett (Mar 23)