Snort mailing list archives
Re: New Suppress
From: Jason Brvenik <jasonb () sourcefire com>
Date: Thu, 24 Sep 2009 23:43:07 -0400
On Thu, Sep 24, 2009 at 10:07 AM, Jack Pepper <pepperjack () afferentsecurity com> wrote:
Quoting Jason Wallace <jason.r.wallace () gmail com>:I would like to suppress all alerts from our external vulnerability scanning service. Their scans can come from numerous IP ranges.I use PASS rules for that. The problem with suppress is that the test packets pass through the rule base and get inspected, then get ignored. The PASS rule fires first and ends the analysis.
It doesn't work like that any more. All rule content is pre screened against packets and then if it qualified gets to the pass / alert / etc evaluation. In essence a PASS rule causes the system to do twice the amount of work and should only really be used when you want to PASS specific traffic and not just suppress the event from some place.
jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New Suppress Jason Wallace (Sep 24)
- Re: New Suppress JJ Cummings (Sep 24)
- Re: New Suppress rcombs (Sep 24)
- Re: New Suppress Jack Pepper (Sep 24)
- Re: New Suppress Jason Brvenik (Sep 24)
- Re: New Suppress JJ Cummings (Sep 24)