| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] Rule performance profiling question
From: waldo kitty <wkitty42_at_nospam>Date: Thu Sep 16 2010 - 15:24:26 GMT
To: snort-users@lists.sourceforge.net
On 9/16/2010 09:07, Andy Berryman wrote:
> Joel wrote that they “both are SO rules.”
>
> What does that have to do with it? Does it make a difference that they are so
> rules?
yes... because they are GID:3 while the normal text rules in the *.rules files
are GID:1... GID:3 are binary and if one is not using them, one cannot locate
their SID ;)
with GID:3 being binary, there is also the problem of them having to be
distributed in pre-compiled format... that means that they must be compatible
with one's kernel and environment... if there are no pre-compiled rules that fit
one's kernel and environment, then one cannot use GID:3 rules at all... well,
not unless their source is available and can be compiled for one's
environment... however, making the source for GID:3 rules available negates the
reason for their existence in the first place... that reason is to prevent folk
from seeing what is being detected and how so that they cannot work to avoid the
detection...
IIUC, GID:3 rules detect traffic problems that have not yet been made public...
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users