Snort mailing list archives
RE: rules vs. suppress
From: "Lee Clemens" <snort () leeclemens net>
Date: Thu, 24 Mar 2005 00:49:33 -0500
That all makes sense, but a serious caveat...what suppress statement wouldn't cause the rule to be pointless? (alert any any <> 10/8 any) If the rule says alert when the ip is 10.* and I write a suppress for by_src $HOME_NET and again by_dst $HOME_NET, Then any illicit traffic will be suppressed if it is sent to one of my computers or from one of my computers to one of these non-existent (shouldn't be) addresses (exactly what I don't want, and the reason for the rules in the first place). Am I overlooking a simple solution for this? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jeremy Hewlett Sent: Wednesday, March 23, 2005 4:52 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] rules vs. suppress On Mon, Mar 21, Lee Clemens wrote:
But my question is this: Would it have been better to simply write
SUPPRESS
rules and specify my network in track by_src and track by_dst, or to keep these many rules that include every private network except my own.
By adding these 21 rules, you're increasing the inspection time. Each packet that comes in will be evaluated sequentially against these rules. Suppression is a better choice, it's a simpler execution path, and you're not adding any additional rules. ------------------------------------------------------- This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005 Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows Embedded(r) & Windows Mobile(tm) platforms, applications & content. Register by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005 Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows Embedded(r) & Windows Mobile(tm) platforms, applications & content. Register by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules vs. suppress Lee Clemens (Mar 21)
- Re: rules vs. suppress Jeremy Hewlett (Mar 23)
- RE: rules vs. suppress Lee Clemens (Mar 23)
- Re: rules vs. suppress Jeremy Hewlett (Mar 31)
- RE: rules vs. suppress Lee Clemens (Mar 23)
- <Possible follow-ups>
- Re: RE: rules vs. suppress Salil D. (Mar 23)
- Re: rules vs. suppress Jeremy Hewlett (Mar 23)