Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule Selection

From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Thu, 10 Feb 2005 09:59:29 +0000


--On 10 February 2005 10:30 -0800 Rudi Starcevic <tech () wildcash com> wrote:


A colleague of mine suggested to me that a machine with only port 80 open
( www server ) one should only use www Snort rules.
That would mean not using alot of available rules for intrusion
detection, is that wise ?
As I understand Snort's workings, in this scenario the non-port 80 rules will only get run if Snort sees non port 80 traffic - i.e. there is little or no performance overhead in having other rules enabled if there's no traffic that gets past the basic host/port filters.
If anyone who's read the code reckons I'm wrong, feel free to correct me. ;-) 


Thanks
Best regards
Rudi


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: