RE: Configuring False positives

[Erek Adams <erek () theadamsfamily net>]

On Fri, 23 Nov 2001, Tom Sevy wrote:

> I have found that when I do this, then another rule catches it and
> alerts.....

Right!  ;-)  That's part of the fun, the easter egg hunt in the rules!  You'll
have 2 or 3 IIRC you want to 'disable'.  Now, disabling is the rules are nice,
but there's something else you can do....

If you have Apache, setup something like this:

# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
#
RedirectMatch (.*)\cmd.exe(.*) http://127.0.0.1
RedirectMatch (.*)\root.exe(.*) http://127.0.0.1
RedirectMatch (.*)\default.ida(.*) http://127.0.0.1

Now, this doesn't give them a 404 it gives a 302.  And sends the worms back to
the localhost.  :)  Some of these worms are use blocking threads.  Eventually,
you force the host into a 'self-inflicted' DOS.  They stop beating on you, and
everyone else after a while....  (Some kind soul shared that on the incidents
list a while back...)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users