Snort mailing list archives
Re: snort DOS rules & DDOS rules
From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 7 Jul 2010 10:10:43 -0400
The DDOS rules are all very old, and are specific to particular tools that were in the wild at the time of their release (roughly a decade ago). We've disabled them because those tools have largely fallen by the wayside. Since, as a general guideline, the fewer rules you run, the faster Snort will perform, these are disabled in favor of more relevant, current threats. The DOS rules are actually not all disabled (yes, a lot of them are, but not all). Those which we've disabled are either : * In the same category as the DDOS rules - they're looking for old tools that aren't out there any more * Looking for vulnerabilities that are old enough we've disabled them by default, for similar reasons * Current, but performance-intensive; we let admins that need those rules turn them on specifically, to avoid a performance hit for users who don't need them The biggest potential harm you're looking at is a performance decrease. Whether or not that's relevant will depend on your environment - if your Snort box has plenty of resources left, you'll probably be OK, but if it's already on the edge of dropping packets, you should probably only enable those rules that you can justify, so you don't lose out on current detection in favor of something unlikely to be in the wild. On Wed, Jul 7, 2010 at 9:38 AM, Lawrence R. Hughes, Sr. < lhughes () safemedia com> wrote:
Hi, I have noticed when downloading updated rules, that DDOS & DOS rules are all disabled. Have the above been replaced by so_dos rules? Is there any harm enabling the DDOS & DOS rules? Thanks, Larry ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort DOS rules & DDOS rules Lawrence R. Hughes, Sr. (Jul 07)
- Re: snort DOS rules & DDOS rules Joel Esler (Jul 07)
- Re: snort DOS rules & DDOS rules Alex Kirk (Jul 07)