Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule performance profiling question

From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 16 Sep 2010 00:33:36 -0400
On 9/15/2010 21:53, Joel Esler wrote:

Which environment is that?


not one of the common "today" OS setups... it is a dedicated firewall appliance 
that is available via commercial or FOSS... for the FOSS version, one downloads 
an ISO, burns it and installs it to an old (as in dumpster diving age) computer 
with up to 4 NICs in it... originally it started out as an extremely stripped 
redhat but has moved on to become its own distribution... IIRC, we're up to 
kernel 2.16.60... it is "tried and true" and any holes are known and patched ;)

when we first attempted to use the SO rules, we had to try several different 
ones until we found one that was compatible and didn't crash the machine... IIRC 
we had to use the Centos-4.6 ones but that was a year ago and i'm not sure which 
kernel was being used at that time... in fact, my kernel version above is 
actually behind by one or two due to development issues preventing my applying 
the latest updates to my boxen but as soon as i get these mods completed, tested 
and out the door, i plan on moving up to the latest fixpack and whatever kernel 
it contains...

as an aside, it has taken another person the entire past year to bring the FOSS 
version up to the "latest and greatest" versions of everything... kernel, 
drivers, toolchains, apps, etc... but it is extremely experimental and deity 
knows what security holes the latest versions of everything may have in them 
compared to what was being used... yes... extremely experimental and definitely 
not for the faint of heart to play with... even with the most up to date 
versions that compile and work together without breakage... i think they're 
still beating up on openswan and i'm not sure they'll get it operational... 
that's kinda one that is expected to end up in the bitbucket... seems that even 
the openswan folk don't know how it works any more :/



On Wednesday, September 15, 2010, waldo kitty<wkitty42 () windstream net>  wrote:

On 9/15/2010 18:36, Joel Esler wrote:

Both are SO rules.


ahhh... ok so they are GID 3 which i'm not using at this time due to kernel
changes in my environment... hopefully you guys will still be releasing SO rules
that are compatible with the kernel that my environment is "stuck" using for
security reasons...


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: