Snort mailing list archives
Re: Rule Selection
From: Rudi Starcevic <tech () wildcash com>
Date: Thu, 10 Feb 2005 23:15:02 -0800
Hi,>> Depends on what your're looking for. I run some snort sensors "wide open" in order to monitor and profile all the attacks >> that are occuring. In other cases, only selected rules are enabled.Miner, Jonathan W (CSC) (US SSA) wrote:
Well I am very interested to know all attacks that may be ocurring but network performance is our main concern. This box is a commercial web app that stream digital media so it must have the best network speed it can.
Let say only port 80 is open. Which of the two would run faster a) Smort with all rules loaded b) Smort with only port 80 rules loaded.I tend to think it makes no difference. If port 80 is not being used snort will not apply those rules.
Am I correct? Cheers RudiDepends on what your're looking for. I run some snort sensors "wide open" in order to monitor and profile all the attacks that are occuring. In other cases, only selected rules are enabled.
For example, if your firewall only allows Port 80 traffic, then running snort with "all" the rules behind the firewall will alert you to other traffic that might be "leaking" through.-----Original Message----- From: snort-users-admin () lists sourceforge net on behalf of Rudi Starcevic Sent: Thu 02/10/2005 01:30 PM To: snort-users () lists sourceforge net Cc: Subject: [Snort-users] Rule SelectionHi, A colleague of mine suggested to me that a machine with only port 80 open ( www server ) one should only use www Snort rules. That would mean not using alot of available rules for intrusion detection, is that wise ? Thanks Best regards Rudi ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users HW�j)b��h��+y��N�L��v�-�y�v'z�\jwbv����,�xn���v�!3�ۜ���j�j[�z���(���'!����l����X�z�m��^�*^J֫���v)�!���l��gr��i؝��e�ȝ^�)�rD���n��왨��x%��R���ǫ�X���(��~��zw��h��Q��Z�����ب��+�{.n�+�����l��b��,���y�+���b��?�+-�w����۬z����ǫ�X���܆+ކ�i��0��r����ܢo�yث��a�yb�О��ǫs===
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule Selection Rudi Starcevic (Feb 09)
- Re: Rule Selection Alex Butcher, ISC/ISYS (Feb 10)
- Re: Rule Selection Jose Maria Lopez (Feb 10)
- RE: Rule Selection Adam Kliarsky (Feb 21)
- <Possible follow-ups>
- RE: Rule Selection Miner, Jonathan W (CSC) (US SSA) (Feb 10)
- Re: Rule Selection Rudi Starcevic (Feb 10)
- Re: Rule Selection Matt Kettler (Feb 10)
- Re: Rule Selection Alex Butcher, ISC/ISYS (Feb 11)
- Re: Rule Selection Rudi Starcevic (Feb 10)