Snort mailing list archives
RE: Configuring False positives
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 23 Nov 2001 11:52:57 -0800 (PST)
On Fri, 23 Nov 2001, Tom Sevy wrote:
I have found that when I do this, then another rule catches it and alerts.....
Right! ;-) That's part of the fun, the easter egg hunt in the rules! You'll have 2 or 3 IIRC you want to 'disable'. Now, disabling is the rules are nice, but there's something else you can do.... If you have Apache, setup something like this: # Redirect allows you to tell clients about documents which used to exist in # your server's namespace, but do not anymore. This allows you to tell the # clients where to look for the relocated document. # Format: Redirect old-URI new-URL # RedirectMatch (.*)\cmd.exe(.*) http://127.0.0.1 RedirectMatch (.*)\root.exe(.*) http://127.0.0.1 RedirectMatch (.*)\default.ida(.*) http://127.0.0.1 Now, this doesn't give them a 404 it gives a 302. And sends the worms back to the localhost. :) Some of these worms are use blocking threads. Eventually, you force the host into a 'self-inflicted' DOS. They stop beating on you, and everyone else after a while.... (Some kind soul shared that on the incidents list a while back...) Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Configuring False positives Arvind Clemente (Nov 23)
- Re: Configuring False positives Erek Adams (Nov 23)
- <Possible follow-ups>
- RE: Configuring False positives Tom Sevy (Nov 23)
- RE: Configuring False positives Erek Adams (Nov 23)
- Slightly OT Jim Kipp (Nov 29)
- Configure for Mysql Jim Kipp (Dec 01)
- Message not available
- Re: Configure for Mysql Jim Kipp (Dec 02)
- RE: Configuring False positives Erek Adams (Nov 23)