Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort DOS rules & DDOS rules

From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 7 Jul 2010 10:10:43 -0400
The DDOS rules are all very old, and are specific to particular tools that
were in the wild at the time of their release (roughly a decade ago). We've
disabled them because those tools have largely fallen by the wayside. Since,
as a general guideline, the fewer rules you run, the faster Snort will
perform, these are disabled in favor of more relevant, current threats.

The DOS rules are actually not all disabled (yes, a lot of them are, but not
all). Those which we've disabled are either :

* In the same category as the DDOS rules - they're looking for old tools
that aren't out there any more
* Looking for vulnerabilities that are old enough we've disabled them by
default, for similar reasons
* Current, but performance-intensive; we let admins that need those rules
turn them on specifically, to avoid a performance hit for users who don't
need them

The biggest potential harm you're looking at is a performance decrease.
Whether or not that's relevant will depend on your environment - if your
Snort box has plenty of resources left, you'll probably be OK, but if it's
already on the edge of dropping packets, you should probably only enable
those rules that you can justify, so you don't lose out on current detection
in favor of something unlikely to be in the wild.

On Wed, Jul 7, 2010 at 9:38 AM, Lawrence R. Hughes, Sr. <
lhughes () safemedia com> wrote:


 Hi,

I have noticed when downloading updated rules, that DDOS & DOS rules are
all disabled.
Have the above been replaced by so_dos rules?

Is there any harm enabling the DDOS & DOS rules?

Thanks,
Larry




------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: