Re: [Emerging-Sigs] weirdness

[Will Metcalf <william.metcalf () gmail com>]

> Correct... the pattern group will be selected based on the ports.
> Through our many years of research, we've found that qualifying
> rules based on pattern, then individual rule options, then by
> IP addrs & UDP/TCP hdr ports is most efficient in terms of speed
> and memory efficiency.

Ok just need clarification.  Thanks Steve..

> And, typically, you won't see traffic on your link unless its very
> closely related to your IP or subnet.  Otherwise, you could snoop
> everyone's in & outbound traffic across the entire ISP, etc.

I was thinking more for an organization that has say a /24 or
something where their public address space may share the same public
address space as the NAT's for their client traffic, and their sensor
is watching say watching the public interface of their fw.  I think
this scenario is pretty common.

> This almost sounds like a matter of tuning the ruleset for where Snort
> is deployed....

It is indeed.  Thanks again.  I guess rule writers just need to keep
this in mind when writing sigs.

Regards,

Will

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users