Re: RE: rules vs. suppress

["Salil D." <salildumbre () rediffmail com>]

Hi there,

I had been sniffing into your mails
a coincidence, I am stuck at snort.conf and writing of rules
I wrote a few of them for TCP and ICMP
the signature table gets updated 
Kindly, please let me know about snort.conf and rules
and also about multiple sensors

Salil.



On Thu, 24 Mar 2005 Lee Clemens wrote :
> That all makes sense, but a serious caveat...what suppress statement
> wouldn't cause the rule to be pointless? (alert any any <> 10/8 any)
>
> If the rule says alert when the ip is 10.* and I write a suppress for
> by_src $HOME_NET and again
> by_dst $HOME_NET,
>
> Then any illicit traffic will be suppressed if it is sent to one of my
> computers or from one of my computers to one of these non-existent
> (shouldn't be) addresses (exactly what I don't want, and the reason for the
> rules in the first place).
>
> Am I overlooking a simple solution for this?
>
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jeremy Hewlett
> Sent: Wednesday, March 23, 2005 4:52 PM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] rules vs. suppress
>
> On Mon, Mar 21, Lee Clemens wrote:
> > But my question is this: Would it have been better to simply write
> SUPPRESS
> > rules and specify my network in track by_src and track by_dst, or to keep
> > these many rules that include every private network except my own.
>
> By adding these 21 rules, you're increasing the inspection time. Each
> packet that comes in will be evaluated sequentially against these
> rules. Suppression is a better choice, it's a simpler execution path,
> and you're not adding any additional rules.
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
> Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
> Embedded(r) & Windows Mobile(tm) platforms, applications & content.
> Register
> by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005
> Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows
> Embedded(r) & Windows Mobile(tm) platforms, applications & content.  Register
> by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users