Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort duplicate signatures in table

From: "Vladimir" <pvm () napravlenie ru>
Date: Fri, 21 Apr 2006 11:18:35 +0400
There are two possible solutions:

1. You use BPF filter to avoid that both instances see the same
   traffic (why do you want to be alerted on both interfaces for
  the same packet?)


I use snort on 2 interfaces because I wait that some attacks can be going
from DMZ to local net.
If snort will listen only on external interface, then I risk pass potential
attacks from DMZ to local net.
But I have a lot of traffic from external to DMZ networks. And a lot of
duplicates alerts.
May be I have some errors in configuration snort? Does really important that
snort listen on DMZ interface?


2. You insert all signatures in the database before you start snort.
   -> In this case all queries for signatures will succeed.


I think about this. But every time then I update snort rules, I need to
insert fresh signatures to the database... I can do that. As a last
resort...
But I wan't to solve this problem by correct snort configuration...




-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: