[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Trying to understand some performance numbers
From: Nathan Duval via Snort-users <snort-users () lists ! snort ! org>
Date: 2020-03-12 2:07:23
Message-ID: 5F056465-9532-4CFF-8809-4F28ECA7B9D0 () gmail ! com
[Download RAW message or body]
Definitely appreciate the links from wkitty. Answered all my questions for the \
moment. Thanks!
> On Mar 11, 2020, at 9:02 PM, Joel Esler (jesler) via Snort-users \
> <snort-users@lists.snort.org> wrote:
> We could probably teach a level 400 college course on writing efficient rules.
>
> We are coming out with an online rule writing course for Snort 3 here soon!
>
> Sent from my iPhone
>
> > > On Mar 11, 2020, at 15:25, wkitty42--- via Snort-users \
> > > <snort-users@lists.snort.org> wrote:
> > > On 3/11/20 12:57 PM, Nathan Duval via Snort-users wrote:
> > > What might cause it to always check against these, but not other tcp based \
> > > sigs? Here is a full example of what these looked like: alert tcp \
> > > [$HOME_NET,$RFC_1918] any -> <specific IP> any (msg:"IP Detection"; \
> > > flow:to_server,established; threshold: type limit, track by_dst, count 10, \
> > > seconds 60; sid:xxx; tag:session,5,packets; rev:1;)
> >
> >
> > IP only rules are heavy, yes... IIRC, having a "content:" in the rule helps to \
> > alleviate it from being checked on every packet... understandably, not all rules \
> > can check for content but it depends on what the rule's purpose it...
> >
> > these links might help to understand better...
> >
> > https://blog.talosintelligence.com/2009/01/tips-for-writing-good-rules-from-n00b.html
> > http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node36.html
> > http://resources.infosecinstitute.com/snort-rule-writing-for-the-it-professional/
> > https://resources.infosecinstitute.com/snort-rule-writing-for-the-it-professional-part-2-2/
> >
> >
> > found via this search:
> > https://www.google.com/search?q=how+to+write+efficient+snort+rules
> >
> > --
> > NOTE: No off-list assistance is given without prior approval.
> > *Please keep mailing list traffic on the list where it belongs!*
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.snort.org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > To unsubscribe, send an email to:
> > snort-users-leave@lists.snort.org
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> > Please follow these rules: \
> > https://snort.org/faq/what-is-the-mailing-list-etiquette
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> To unsubscribe, send an email to:
> snort-users-leave@lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic