Jason Brvenik wrote:
more rules == more work in every case.
Even where the flowbit has to be qualified before any matching?
Matt
The rule
alert tcp any 1024: -> $HOME_NET 1024: (msg:"BLEEDING-EDGE \
ATTACK_RESPONSE Off-Port FTP Without Banners - 220"; \
flow:established,to_server; dsize:6; content:"220 |0d 0a|"; offset:0; \
depth:6; flowbits:noalert; flowbits:set,ET.strippedftp220; \
sid: 2007714; rev:1;)
has inherent overhead, adding rules on top of it doesn't help
performance. Qualifying with additional rules might help false positives
but packets *to server* are unlikely to fire in this chain anyway...
basically a client sending 220 \r\n only is probably rare unless
intentional.
If you want to post qualify events check out my latest SnortUnified.pm
with support for qualifiers :)
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Fax 61-29-4750-026
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
