Snort mailing list archives
Re: Fine tuning Snort
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 08 Oct 2010 12:45:18 -0400
On 10/8/2010 08:24, James Lay wrote:
Thanks Waldo, It's been quite interesting...I have at least four rules that look for executables...and as I look at the threshold file I can only threshold against one IP at a time...meaning I've got a lot of work to do as I have to add pretty much most of google and windowsupdate.com ;)
you should be able to use CIDRs for blocks of IPs... you can also put them together on one line... i was not sure which way to do this would be the best so i asked in here (i think) a week or so back... the basic consensus was one IP per line is easier to manage... you only have to comment out or delete that one line when it is no longer needed and adding one is as simple as copying an existing one and changing the IP...
Even thought I'm tempted to simply start snort to not monitor those netblocks, eh...I'd rather do the right thing.
i know that feeling... it is like accepting DNS data from an external DNS server but do you really want to accept and trust ALL traffic from that server? not especially if it starting coming from that server without being requested first ;) so a threshold suppressing some DNS related GIDs/SIDs for that server's IP comes in handy and allows you to not get overrun by that stuff but still be able to monitor for other stuff from the same IP... ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- <Possible follow-ups>
- Re: Fine tuning Snort James Lay (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort ScottO (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort Joel Esler (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort waldo kitty (Oct 07)
- Re: Fine tuning Snort waldo kitty (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 08)
- Re: Fine tuning Snort Jefferson, Shawn (Oct 08)
- Re: Fine tuning Snort James Lay (Oct 09)
- Re: Fine tuning Snort Joel Esler (Oct 09)