Unsubscribe ...

[Lyndon Tiu <ltiu () alumni sfu ca>]

Hello,

I am sorry for asking the group how to unsubscribe, for some reason, the 
attached email from the group did not have anything at the bottom AND I 
happen to have picked this one when trying to find information on how to 
unsubscribe .... 

--
Lyndon Tiu
> --- Begin Message ---
>
>
> From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil>
>
> Date: Wed, 24 Nov 2004 17:31:48 -0500
>
> There is a sensor  between an edge router the premisis distribution router. Traffic from say 3DMZ's plus the intranet 
> is captured by
> a snort ids.
> We would like to separate the alerts based on DMZ Network address of the alert. I had thought I could collect all the
> alerts in one database and create an acid.php script for each DMZ and create an acid database
> for DMZ. While I would love the challenge, the mind is strong but the programming skills are weak.
>  An senior administrator suggested that I define a  ruletype for each DMZ.
> Questions: 
> 1. Assuming I have 2000 rules, if I were to implement the following for 3 DMZs
> I would have a total of 8000 rules. Would this many rules affect a snort ids sensor's performance?
> I realize that the answer to my question depends on how the rule lists are implemented.
> If the rules were in a linearly linked list I know the performance would be affected.
> In a Btree, where the more specific rule lists are tried first then the time
> to access any rule should be constant and the performance should not be affected?
>
> 2. Is the syntax correct in my Example snort.conf and snort rules correct?
>
> 3. Is there a better way to create rules that send alerts to a particular database
> based on the DMZ network address?
>
>
> #Example excerpt of snort.conf
> ruletype DMZ1_alert
> {
>     type alert
>     output alert_syslog: LOG_AUTH LOG_ALERT
>     output database: log, mysql, user=snort dbname=dmz1 host=localhost
> }
> ruletype DMZ2_alert
> {
>     type alert
>     output alert_syslog: LOG_AUTH LOG_ALERT
>     output database: log, mysql, user=snort dbname=dmz3 host=localhost
> }
> ruletype DMZ3_alert
> {
>     type alert
>     output alert_syslog: LOG_AUTH LOG_ALERT
>     output database: log, mysql, user=snort dbname=dmz3 host=localhost
> }
>
>
> var DMZ1_NET [192.168.1.0/24,10.1.1.0/24]
>
> var DMZ1_NET [192.168.2.0/24,10.1.2.0/24]
>
> var DMZ1_NET [192.168.3.0/24,10.1.3.0/24]
>
> var RULE_PATH /snort/rules
> var DMZ1 DMZ1_NET
> var DMZ2 DMZ2_NET
> var DMZ3 DMZ3_NET
>
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/$DMZ1/exploit.rules
> include $RULE_PATH/$DMZ2/exploit.rules
> include $RULE_PATH/$DMZ3/exploit.rules
> ----------------------------
> Example of a few Snort Rules.
> /snort/rules/exploit.rules
> alert tcp any any -> any any (msg:"Possible  exploit"; content:"|90|";  \
> offset:40; depth:75;)
>
> /snort/rules/DMZ1_NET/exploit.rules
> DMZ1_alert tcp any any -> $DMZ1_NET any (msg:"Possible  exploit"; content:"|90|";  \
> offset:40; depth:75;)
>
> /snort/rules/DMZ2_NET/exploit.rules
> DMZ2_alert tcp any any -> $DMZ2_NET any (msg:"Possible  exploit"; content:"|90|";  \
> offset:40; depth:75;)
>
> /snort/rules/DMZ3_NET/exploit.rules
> DMZ3_alert tcp any any -> $DMZ3_NET any (msg:"Possible  exploit"; content:"|90|";  \
> offset:40; depth:75;)
>
> --- End Message ---