Re: What do the commented-out rules mean?

[Matt Olney <molney () sourcefire com>]

Joel is right.

We turn rules off for several reasons:

Preprocessors render them irrelevant
Performance impact too high in relation to the threat
False positives too high in relation to the threat
The rule covers an obsolete vuln, and should only be used by people  
trapped by old tech.

Hope that helps,

Matt

Sent from my iPhone

On Dec 1, 2009, at 8:29 PM, Joel Esler <jesler () sourcefire com> wrote:

> On Tue, Dec 1, 2009 at 7:15 PM, 林闻捷 <wendyfermilin () gmail com>  
> wrote:
> Hi, all
>
> I analyze the web-activex rules in both 2.7 and 2.8 version. There  
> are lots of rules commented out (more than half). So do many other  
> files. What do commented-out rules mean? Are they bad rules, or as a  
> backup for special usage? Thank you very much!
>
>
> It means they are off by default.  You can choose to turn them on,  
> if they apply to your environment.
>
>
>
>
> --
> Joel Esler | 302-223-5974 | Gtalk: jesler () sourcefire com
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs