Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Rule Selection

From: "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>
Date: Thu, 10 Feb 2005 06:54:06 -0500
Depends on what your're looking for.  I run some snort sensors "wide open" in order to monitor and profile all the 
attacks that are occuring.  In other cases, only selected rules are enabled.
 
For example, if your firewall only allows Port 80 traffic, then running snort with "all" the rules behind the firewall 
will alert you to other traffic that might be "leaking" through.
 

        -----Original Message----- 
        From: snort-users-admin () lists sourceforge net on behalf of Rudi Starcevic 
        Sent: Thu 02/10/2005 01:30 PM 
        To: snort-users () lists sourceforge net 
        Cc: 
        Subject: [Snort-users] Rule Selection
        
        

        Hi,
        
        A colleague of mine suggested to me that a machine with only port 80
        open ( www server ) one should only use www Snort rules.
        That would mean not using alot of available rules for intrusion
        detection, is that wise ?
        
        Thanks
        Best regards
        Rudi
        
        
        
        
        -------------------------------------------------------
        SF email is sponsored by - The IT Product Guide
        Read honest & candid reviews on hundreds of IT Products from real users.
        Discover which products truly live up to the hype. Start reading now.
        http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: