Snort mailing list archives
Re: icmp pass rules
From: "Stephen Reese" <rsreese () gmail com>
Date: Tue, 28 Oct 2008 09:31:45 -0400
Yes. My calc was not accurate but you get the idea. You could also use a custom variable defined to your 'specific' addresses saving the increased config settings. $MY_HOSTS for instance.
It doesn't seem like you can use variables for suppression but that's not a big deal.
I'm just offering an idea, and wondering why you wouldn't do this? I think what is tedious is actually flexibility, since you are not forced to have 'a' sensor in 'a' location, you can have multiple sensors that obviously could be fed more specific activity. Typically I find getting your 'settings' for each sensor to be as specific as possible; -reduces false positives -reduces alert activity to specific issues. -allows our management interface to view more specific activity based on granular approach. For instance a change to our web servers doesn't affect our desktops, etc.. Maybe separate sensors, one for each net would be a better approach? -- James Friesen, CIO Lucretia.ca ¨Our World Is Here...¨ http://lucretia.ca info () lucretia ca
I believe your logic is correct. A sensor for each network would be rather cumbersome not to mention expensive due to the additional hardware requirements. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: icmp pass rules, (continued)
- Re: icmp pass rules Joel Esler (Oct 22)
- Re: icmp pass rules Stephen Reese (Oct 22)
- Re: icmp pass rules Stephen Reese (Oct 23)
- Re: icmp pass rules John Gay (Oct 24)
- Message not available
- Re: icmp pass rules Stephen Reese (Oct 24)
- Re: icmp pass rules Joel Esler (Oct 24)
- Re: icmp pass rules Stephen Reese (Oct 24)
- Message not available
- Re: icmp pass rules Stephen Reese (Oct 24)
- Re: icmp pass rules Stephen Reese (Oct 24)
- Message not available
- Re: icmp pass rules Stephen Reese (Oct 27)
- Message not available
- Re: icmp pass rules Stephen Reese (Oct 28)
- Re: icmp pass rules Stephen Reese (Oct 22)
- Re: icmp pass rules Joel Esler (Oct 22)
- Re: icmp pass rules Frank Knobbe (Oct 24)
- Re: icmp pass rules Frank Knobbe (Oct 24)
- Re: icmp pass rules Stephen Reese (Oct 24)
- Re: icmp pass rules Frank Knobbe (Oct 24)
- Re: icmp pass rules Stephen Reese (Oct 24)