Re: Rule efficiency

[Alex Tatistcheff <alext () pobox com>]

On Mon, Jul 26, 2010 at 3:09 PM, Isherwood, Jeffrey - IS <
Jeffrey.Isherwood () itt com> wrote:

> LoL ;) well, while the outside hosts should not make it past the firewalls
> etc...
> I'd like to know that they are trying... so I am looking for traffic
> bi-directionaly.
>
> I do not have access to the DNS servers... and since many of the domains
> I'm chasing are dynamic...
> without access to DNS I'm stuck watching for content...
>
> And yes... even if the domains are down, I'm very interested in hosts
> internally that might be looking
> for crappydomain.com and it's friends
>
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 () windstream net]
> Sent: Monday, July 26, 2010 3:38 PM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Rule efficiency
>
> > a quick question concerning your task... is this concerning sites that
> you host/hosted so
> > you are looking for inbound traffic to them or are these sites that the
> corporate entity has
> > placed "out of bounds" and you are looking for outbound traffic to them?
>
> > if the sites were hosted and are no longer available, what is the
> reasoning for looking for
> > traffic headed to them? why not just dump the DNS entries for them and
> close up the sites...
> > if they're down, what does it matter that something out there is using an
> old list... hummm...
> > unless maybe they were C&C centers and one is now attempting to find the
> culprit botherder... hummm...
>
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the
> sender.
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://ad.doubleclick.net/clk;226879339;13503038;l?
> http://clk.atdmt.com/CRS/go/247765532/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


Alex, you mentioned regarding the fast pattern matcher that "the patterns
used are based on the port used in the rule."  Is this just the destination
port, source port or source/destination combination?

Thanks!

Alex Tatistcheff

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users