Dealing with Snort rules and signatures

[Pratik Narang <pratik.cse.bits () gmail com>]

Answers or comments, anyone? :)

On Fri, Jul 27, 2012 at 4:51 PM, Pratik Narang
<pratik.cse.bits () gmail com> wrote:
> As and when Snort sees packets, how it deals with them? I read in the
> manual- "The Pass rules are applied first, then the Drop rules, then
> the Alert rules and finally, Log rules are applied" and "the event
> processing is terminated when a pass rule is encountered".
> So, will all pass rules be *always* applied to a packet? Or will the
> packet be 'passed' after the x rules are hit? And does this 'x' differ
> from protocol to protocol???
> And does the above procedure differ for Drop, Alert and Log rules???
>
> Snort rules are huge in number. For the sake of higher efficiency, how
> can I customize Snort to do, say, that 'after you see that such-n-such
> packet(s) triggers such-n-such rule(s), take <this> action on it/
> apply no more rules on it'.
>
> How does Snort deal with encrypted packets? How does it deal with
> packets on SSL, and packets on TCP & TLS?
>
> How does it deal with compressed (zipped) packets? Can signatures be
> applied to them without loss of efficiency?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!