Snort mailing list archives
Re: Rule performance profiling question
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 16 Sep 2010 00:33:36 -0400
On 9/15/2010 21:53, Joel Esler wrote:
Which environment is that?
not one of the common "today" OS setups... it is a dedicated firewall appliance that is available via commercial or FOSS... for the FOSS version, one downloads an ISO, burns it and installs it to an old (as in dumpster diving age) computer with up to 4 NICs in it... originally it started out as an extremely stripped redhat but has moved on to become its own distribution... IIRC, we're up to kernel 2.16.60... it is "tried and true" and any holes are known and patched ;) when we first attempted to use the SO rules, we had to try several different ones until we found one that was compatible and didn't crash the machine... IIRC we had to use the Centos-4.6 ones but that was a year ago and i'm not sure which kernel was being used at that time... in fact, my kernel version above is actually behind by one or two due to development issues preventing my applying the latest updates to my boxen but as soon as i get these mods completed, tested and out the door, i plan on moving up to the latest fixpack and whatever kernel it contains... as an aside, it has taken another person the entire past year to bring the FOSS version up to the "latest and greatest" versions of everything... kernel, drivers, toolchains, apps, etc... but it is extremely experimental and deity knows what security holes the latest versions of everything may have in them compared to what was being used... yes... extremely experimental and definitely not for the faint of heart to play with... even with the most up to date versions that compile and work together without breakage... i think they're still beating up on openswan and i'm not sure they'll get it operational... that's kinda one that is expected to end up in the bitbucket... seems that even the openswan folk don't know how it works any more :/
On Wednesday, September 15, 2010, waldo kitty<wkitty42 () windstream net> wrote:On 9/15/2010 18:36, Joel Esler wrote:Both are SO rules.ahhh... ok so they are GID 3 which i'm not using at this time due to kernel changes in my environment... hopefully you guys will still be releasing SO rules that are compatible with the kernel that my environment is "stuck" using for security reasons...
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Rule performance profiling question, (continued)
- Re: Rule performance profiling question Alex Kirk (Sep 15)
- Re: Rule performance profiling question Andy Berryman (Sep 16)
- Re: Rule performance profiling question Joel Esler (Sep 16)
- Re: Rule performance profiling question waldo kitty (Sep 16)
- Re: Rule performance profiling question waldo kitty (Sep 16)
- Re: Rule performance profiling question Joel Esler (Sep 16)
- Re: Rule performance profiling question Andy Berryman (Sep 16)
- Re: Rule performance profiling question Alex Kirk (Sep 15)
- Re: Rule performance profiling question Joel Esler (Sep 15)
- Re: Rule performance profiling question waldo kitty (Sep 15)
- Re: Rule performance profiling question Joel Esler (Sep 15)
- Re: Rule performance profiling question waldo kitty (Sep 15)