Snort mailing list archives
Re: [Emerging-Sigs] weirdness
From: Will Metcalf <william.metcalf () gmail com>
Date: Mon, 16 Aug 2010 23:00:37 -0500
Correct... the pattern group will be selected based on the ports. Through our many years of research, we've found that qualifying rules based on pattern, then individual rule options, then by IP addrs & UDP/TCP hdr ports is most efficient in terms of speed and memory efficiency.
Ok just need clarification. Thanks Steve..
And, typically, you won't see traffic on your link unless its very closely related to your IP or subnet. Otherwise, you could snoop everyone's in & outbound traffic across the entire ISP, etc.
I was thinking more for an organization that has say a /24 or something where their public address space may share the same public address space as the NAT's for their client traffic, and their sensor is watching say watching the public interface of their fw. I think this scenario is pretty common.
This almost sounds like a matter of tuning the ruleset for where Snort is deployed....
It is indeed. Thanks again. I guess rule writers just need to keep this in mind when writing sigs. Regards, Will ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] weirdness Steven Sturges (Aug 16)
- Re: [Emerging-Sigs] weirdness Will Metcalf (Aug 16)
- Re: [Emerging-Sigs] weirdness Steven Sturges (Aug 16)
- Re: [Emerging-Sigs] weirdness Will Metcalf (Aug 16)
- Re: [Emerging-Sigs] weirdness Steven Sturges (Aug 16)
- Re: [Emerging-Sigs] weirdness Will Metcalf (Aug 16)