[Emerging-Sigs] Snort, IP-Only Rules, Performance

JJ Cummings cummingsj at gmail.com
Sat Dec 8 09:58:29 HAST 2012


If you are looking for bad ip addresses, use the reputation preprocessor, this is what it was designed for.  And even though it doesn't state explicitly, it works in IDS (passive) mode.  Simply maintain a list file with the bad ip addresses and use it (read blacklist).  You can even reload the list via a control socket rather than a full HUP of snort, purposely designed and built to allow for regular and recurring reloads of said list ( many ip reputation feeds update hourly for example )...

Sent from the iRoad

On Dec 8, 2012, at 12:17, waldo kitty <wkitty42 at windstream.net> wrote:

> On 12/7/2012 12:08, Nathan wrote:
>> Forgive me for being out of the loop with regard to this topic but what
>> options/improvements have been made with regard to "IP only" rules with Snort.
>> I am running Snort 2.9.4 DAQ 2.0.0 and the IP only rules such as
>> emerging-tor.rules are performance degrading even with Flags:S.
> 
> i don't know what one might check for but in recent snort list traffic, it was pointed out that checking for content actually speeds things up... kinda makes me wonder if there's some content or !content that could be added to the rules...
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


More information about the Emerging-sigs mailing list