Snort mailing list archives

Re: redundant rules

From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 10 May 2001 16:31:05 -0400

What are your HOME_NET and EXTERNAL_NET variables set to?  Are you
portscanning yourself from the same network that you're monitoring?

   -Marty

"Watson, Ed" wrote:

The default rules don't seem to pick up port scans, even obvious ones.
I thought if I used the vision.rules, that would be more effective,
and it hasn't. Could redundant rules cause it to not log these events?

1166 rules read...
1166 Option Chains linked into 257 Chain Headers
0 Dynamic rules

System
      Dell 1550
        dual PIII 833
        1gb ram
        100baseTX FDX
    Resource usage
        Mem .6%
        CPU  .1%
OS
    RH7

Ed Watson


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

redundant rules Watson, Ed (May 10)
- Re: redundant rules Martin Roesch (May 10)