Re: Fine tuning Snort

[ScottO <skippylou () gmail com>]

James,

You can specify cidr notation for address blocks in threshold.conf,
something like:

suppress gen_id 1, sig_id 11111, track by_src, ip 10.1.2.0/24

Hope that helps,

scott

On Fri, Oct 8, 2010 at 8:24 AM, James Lay <jlay () slave-tothe-box net> wrote:

> Thanks Waldo,
>
> It's been quite interesting...I have at least four rules that look for
> executables...and as I look at the threshold file I can only threshold
> against one IP at a time...meaning I've got a lot of work to do as I have
> to add pretty much most of google and windowsupdate.com ;)  Even thought
> I'm tempted to simply start snort to not monitor those netblocks, eh...I'd
> rather do the right thing.
>
> Thanks again for the help.
>
> James
>
>
> On 10/7/10 10:23 PM, "waldo kitty" <wkitty42 () windstream net> wrote:
>
> > On 10/7/2010 14:02, James Lay wrote:
> > > Kevin and Waldo, you gents are treasuresŠI will get to work and report
> > > my
> > > resultsŠthank you much!
> >
> > something else to thing about concerning rules that you would just
> > totally
> > suppress in threshold.conf... if they are completely suppressed then you
> > might
> > as well comment them out of the rules set so they do not consume any
> > memory and
> > snort won't waste any time loading them just to be ignoring them... but i
> > guess
> > this also depends on your tools and management systems... some may use
> > only
> > threshold to "disable" rules where others may actually comment them in
> > the rules
> > sets files... personally, i think the threshold file is best to suppress
> > certain
> > rules for certain IPs... total suppression is the same as disabled so...
> > ;)
> >
> > --------------------------------------------------------------------------
> > ----
> > Beautiful is writing same markup. Internet Explorer 9 supports
> > standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> > Spend less time writing and  rewriting code and more time creating great
> > experiences on the web. Be a part of the beta today.
> > http://p.sf.net/sfu/beautyoftheweb
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users