Snort mailing list archives
Re: Fine tuning Snort
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 08 Oct 2010 06:24:09 -0600
Thanks Waldo, It's been quite interesting...I have at least four rules that look for executables...and as I look at the threshold file I can only threshold against one IP at a time...meaning I've got a lot of work to do as I have to add pretty much most of google and windowsupdate.com ;) Even thought I'm tempted to simply start snort to not monitor those netblocks, eh...I'd rather do the right thing. Thanks again for the help. James On 10/7/10 10:23 PM, "waldo kitty" <wkitty42 () windstream net> wrote:
On 10/7/2010 14:02, James Lay wrote:Kevin and Waldo, you gents are treasuresĀI will get to work and report my resultsĀthank you much!something else to thing about concerning rules that you would just totally suppress in threshold.conf... if they are completely suppressed then you might as well comment them out of the rules set so they do not consume any memory and snort won't waste any time loading them just to be ignoring them... but i guess this also depends on your tools and management systems... some may use only threshold to "disable" rules where others may actually comment them in the rules sets files... personally, i think the threshold file is best to suppress certain rules for certain IPs... total suppression is the same as disabled so... ;) -------------------------------------------------------------------------- ---- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- <Possible follow-ups>
- Re: Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort ScottO (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort Joel Esler (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort Jefferson, Shawn (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 09)
- Re: Fine tuning Snort Joel Esler (Oct 09)