Snort mailing list archives
Re: [Emerging-Sigs] No real performance penalty?
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 11 Jan 2012 10:36:29 -0500
On Jan 11, 2012, at 6:30 AM, elof () sentor se wrote:
Now, the main workload here is the Fast Pattern matching. The test to see if the packet is actually coming from src port 23 is only matched on the very few tcp packets that actually contain the pattern "login incorrect".
Right.
Have I got it right, or is there a major reason why I should not choose to turn the telnet only rule into a general rule?
False positives and alert generation. You'd be dealing with a ton of alerts instead of only ones on port 23. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Emerging-Sigs] No real performance penalty? Joel Esler (Jan 11)
- Re: [Emerging-Sigs] No real performance penalty? elof (Jan 18)
- Re: [Emerging-Sigs] No real performance penalty? Joel Esler (Jan 18)
- Re: [Emerging-Sigs] No real performance penalty? elof (Jan 18)