Home page logo

snort logo Snort mailing list archives

Re: Fine tuning Snort
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 08 Oct 2010 12:45:18 -0400

On 10/8/2010 08:24, James Lay wrote:
Thanks Waldo,

It's been quite interesting...I have at least four rules that look for
executables...and as I look at the threshold file I can only threshold
against one IP at a time...meaning I've got a lot of work to do as I have
to add pretty much most of google and windowsupdate.com ;)

you should be able to use CIDRs for blocks of IPs... you can also put them 
together on one line... i was not sure which way to do this would be the best so 
i asked in here (i think) a week or so back... the basic consensus was one IP 
per line is easier to manage... you only have to comment out or delete that one 
line when it is no longer needed and adding one is as simple as copying an 
existing one and changing the IP...

Even thought I'm tempted to simply start snort to not monitor those
netblocks, eh...I'd rather do the right thing.

i know that feeling... it is like accepting DNS data from an external DNS server 
but do you really want to accept and trust ALL traffic from that server? not 
especially if it starting coming from that server without being requested first 
;) so a threshold suppressing some DNS related GIDs/SIDs for that server's IP 
comes in handy and allows you to not get overrun by that stuff but still be able 
to monitor for other stuff from the same IP...

Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]