Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Newbie questions are as newbie questions does

From: Erek Adams <erek () snort org>
Date: Tue, 8 Apr 2003 10:09:21 -0500 (EST)
On Mon, 7 Apr 2003, Geoff Craig wrote:


In a "theoretical" deployment, say you had one Snort box that was
monitoring traffic going to 3 boxes, 2 real web servers, and 1 honeypot.
So, I have a rule that alerts on all port 80 traffic going to the
honeypot, but just the web-iis.rules for the other 2 web servers.  Will
the rule that logs all port 80 traffic cause the web-iis.rules to not be
fired when going to the honeypot?  If I need to be more in depth let me
know.

In other words, what happens if two rules happen to be a positive for a
certain packet or stream?  If only one fires how can you control which
one?


If you're going to 'log' all traffic going to port 80 on your honeypot,
I'd suggest using Tcpdump instead of Snort.  If all you want is to log
packets, there's no real need to use the extra overhead of Snort.
Granted, you'll need to change the snaplen with Tcpdump to get the entire
packet.  That would eliminate the overhead of the rule engine and such.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: