Re: [Snort 2.2.0] Rules won't trigger

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Yes, I agree with this fully. However, the innevitable question remains,
how to remedy those in the future as well as how to test the sigs
reliably? Tools creating testcode from the signatures should consider
the situation we had to cope with. I am happy to say that my need on
signatures is between 80-150 so in the worst case one could delegate the
testing to an apprentice - but those are not always reliable as well ;)

Edin

Alex Kirk schrieb am 20.01.2005 19:45:
> All,
>
> Just to clarify this, I'm seeing different login data than what the rule 
> looks for in PCAPs from both Edin and my own testing. This may be caused 
> by a variety of reasons, from a difference in the client we're using vs. 
> what was used to create the rule, an update to the protocol, etc. This 
> does not necessarily mean that the current rule is always invalid, just 
> that there are some false negatives.
>
> For all those who may be concerned about this rule, I've created a bug 
> internally, and the rule will be updated and/or a new rule will be added 
> as appropriate in the next rule pack after we determine what the 
> appropriate course of action is.
>
> Alex Kirk
> Research Analyst
> Sourcefire, Inc.

...

--
Edin Dizdarevic


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users