Snort mailing list archives

Re: Sensor overload - Too much traffic for Snort box?

From: Nigel Houghton <nigel () sourcefire com>
Date: Thu, 14 Jun 2007 09:37:45 -0400

On 6/14/07 2:19 AM, "Ray H." <snort () melray us> wrote:

include /etc/snort/local.rules


Remove this next line:

include /etc/snort/bleeding-all.rules


If you want to use bleeding stuff, do it like the official snort rule set,
use individual rule file groupings and disable the rules you do not need.

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
#include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/experimental.rules
include /etc/snort/threshold.conf


-- 
Nigel Houghton
Office Linebacker
SF VRT


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort memory swap usage Zakai Kinan (Jun 06)
- Re: Snort memory swap usage Todd Wease (Jun 06)
- Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
  - Re: Sensor overload - Too much traffic for Snort box? Benjamin Small (Jun 08)
  - Re: Sensor overload - Too much traffic for Snort box? Fábio a.k.a Fósforo (Jun 08)
    - Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
  - Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 09)
    - Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 11)
    - Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 11)
    - Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 13)
    - Re: Sensor overload - Too much traffic for Snort box? Nigel Houghton (Jun 14)
    - Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 14)
    - mpls ty (Jun 14)
    - Re: mpls Paul Melson (Jun 15)
    - Re: mpls Martin Roesch (Jun 15)
    - Re: mpls Matthew Watchinski (Jun 15)
- Re: Snort memory swap usage Carlos Terrón (Jun 10)
  - Re: Snort memory swap usage Marc Norton (Jun 13)