Snort mailing list archives
Re: rules vs. suppress
From: Jeremy Hewlett <jh () sourcefire com>
Date: Wed, 23 Mar 2005 16:51:47 -0500
On Mon, Mar 21, Lee Clemens wrote:
But my question is this: Would it have been better to simply write SUPPRESS rules and specify my network in track by_src and track by_dst, or to keep these many rules that include every private network except my own.
By adding these 21 rules, you're increasing the inspection time. Each packet that comes in will be evaluated sequentially against these rules. Suppression is a better choice, it's a simpler execution path, and you're not adding any additional rules. ------------------------------------------------------- This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005 Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows Embedded(r) & Windows Mobile(tm) platforms, applications & content. Register by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules vs. suppress Lee Clemens (Mar 21)
- Re: rules vs. suppress Jeremy Hewlett (Mar 23)
- RE: rules vs. suppress Lee Clemens (Mar 23)
- Re: rules vs. suppress Jeremy Hewlett (Mar 31)
- RE: rules vs. suppress Lee Clemens (Mar 23)
- <Possible follow-ups>
- Re: RE: rules vs. suppress Salil D. (Mar 23)
- Re: rules vs. suppress Jeremy Hewlett (Mar 23)