Snort mailing list archives
Re: Rule efficiency
From: Alex Kirk <akirk () sourcefire com>
Date: Fri, 23 Jul 2010 16:17:34 -0400
Yes, that is correct. On Fri, Jul 23, 2010 at 4:12 PM, Isherwood, Jeffrey - IS < Jeffrey.Isherwood () itt com> wrote:
If it turns out that mgmt DOES want just web traffic, the use of the http_header will tell the sensors to stop alerting on the content on pages then correct? I have been getting false positives where a user visits a page with a link or mention of “crappydomain.com” on it and that visit sets off the alert… *Jeffrey Isherwood, **CISSP, C|EH** ** * Computer Security Analyst | Enterprise Protection & Planning Information Systems | Information Protection & Sharing *From:* Alex Kirk [mailto:akirk () sourcefire com] *Sent:* Friday, July 23, 2010 3:01 PM *To:* Isherwood, Jeffrey - IS *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Rule efficiency For what it's worth, the use of the fast_pattern keyword when there's a single content clause is actually unnecessary. The fast pattern matcher by default chooses the longest string available out of a rule, and if you've only got one string, well, it'll choose that every time. Good luck with your management quandary.On Fri, Jul 23, 2010 at 2:33 PM, Isherwood, Jeffrey - IS <Jeffrey.Isherwood () itt com> wrote:Thanks for the reply Alex… For reasons that I can’t go into, I am notable to check the DNS queries (alas, that was my original thought as well). ------------------------------ This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency Korodev (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency Joel Esler (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency waldo kitty (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 23)
- Re: Rule efficiency Alex Kirk (Jul 23)
- MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic basedupon uploaded file type... Castle, Shane (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Isherwood, Jeffrey - IS (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Jason Haar (Aug 05)
- Re: MP3's are evil... Searching for traffic based upon uploaded file type... Joel Esler (Aug 05)
- Re: Rule efficiency Alex Kirk (Jul 23)
- Re: Rule efficiency waldo kitty (Jul 23)
- Re: Rule efficiency Isherwood, Jeffrey - IS (Jul 26)
- Re: Rule efficiency waldo kitty (Jul 26)