Re: Reputation clarification

["Lay, James" <james.lay () wincofoods com>]

From: Russ Combs [mailto:rcombs () sourcefire com] 
Sent: Wednesday, September 07, 2011 12:44 PM
To: Lay, James
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Reputation clarification


On Wed, Sep 7, 2011 at 12:04 PM, Lay, James <james.lay () wincofoods com> wrote:
Hey all!

So…I’m doing my upgrade to 2.9.1….very excited.  A (possibly idiotic ;)) question I have on the Reputation 
preprocessor…this is really just an IP based black/whitelist yes? 

Yes - at the moment.
 
 If so, what would be the difference for “whitelisting” via startup command verses using the whitelist, say with:

snort –c snort.conf ip and not host bleh

Using a bpf can reduce the number of packets that Snort sees which helps performance.  Using reputation is a little 
more flexible since you can reload the config and change the white/black lists on the fly.
 

Also, if I’m reading the below right, does this mean that EVERY time a packet goes to google.com I’ll get an alert?  
Thanks all.

If you enable the alerts, you will get them, subject to any event filters.  If you don't want the alerts, don't enable 
them. 




Just what I needed...thanks Russ.

James
------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage 
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!