Re: Snort CPU consumptions

[Balasubramaniam Natarajan <bala150985 () gmail com>]

On Thu, Jan 9, 2014 at 6:56 AM, waldo kitty <wkitty42 () windstream net> wrote:

> so one answer to tuning this rule would be to
>
>    1. include a content match
>    2. include a flow direction
>
> but looking at that PCRE, i don't see where it is any more helpful than a
> simply
> "any any -> any any" type rule :?
Thanks for the advise I will keep them in mind, I have disabled those rule
since my snort would never gets to see traffic on those ports due to
firewall :-)

I am actually planning to do away with all those rules where the port is
not allowed by my firewall in the ingress and create just one rule which
just look for "SYN-ACK" flags on those exotic ports should my firewall
fail.  Any pointer if this is a good idea ?  I know that UDP should also be
addressed.

I can fore see response coming in saying snort is not made for this.  I
just hope to be wrong on this one too.

-- 
Regards,
Balasubramaniam Natarajan
www.blog.etutorshop.com

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!