Home page logo
/

snort logo Snort mailing list archives

Re: Fine tuning Snort
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 08 Oct 2010 06:24:09 -0600

Thanks Waldo,

It's been quite interesting...I have at least four rules that look for
executables...and as I look at the threshold file I can only threshold
against one IP at a time...meaning I've got a lot of work to do as I have
to add pretty much most of google and windowsupdate.com ;)  Even thought
I'm tempted to simply start snort to not monitor those netblocks, eh...I'd
rather do the right thing.

Thanks again for the help.

James


On 10/7/10 10:23 PM, "waldo kitty" <wkitty42 () windstream net> wrote:

On 10/7/2010 14:02, James Lay wrote:
Kevin and Waldo, you gents are treasuresĀŠI will get to work and report
my
resultsĀŠthank you much!

something else to thing about concerning rules that you would just
totally 
suppress in threshold.conf... if they are completely suppressed then you
might 
as well comment them out of the rules set so they do not consume any
memory and 
snort won't waste any time loading them just to be ignoring them... but i
guess 
this also depends on your tools and management systems... some may use
only 
threshold to "disable" rules where others may actually comment them in
the rules 
sets files... personally, i think the threshold file is best to suppress
certain 
rules for certain IPs... total suppression is the same as disabled so...
;)

--------------------------------------------------------------------------
----
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]