Re: [Emerging-Sigs] No real performance penalty?

[Joel Esler <jesler () sourcefire com>]

On Jan 11, 2012, at 6:30 AM, elof () sentor se wrote:

> Now, the main workload here is the Fast Pattern matching.
> The test to see if the packet is actually coming from src port 23 is only 
> matched on the very few tcp packets that actually contain the pattern 
> "login incorrect".
Right.

> Have I got it right, or is there a major reason why I should not choose to 
> turn the telnet only rule into a general rule?

False positives and alert generation.

You'd be dealing with a ton of alerts instead of only ones on port 23.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!