Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule efficiency

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 24 Jul 2010 02:16:09 -0400
On 7/23/2010 16:12, Isherwood, Jeffrey - IS wrote:

If it turns out that mgmt DOES want just web traffic, the use of the http_header
will tell the sensors to stop alerting on the content on pages then correct? I
have been getting false positives where a user visits a page with a link or
mention of “crappydomain.com” on it and that visit sets off the alert…


this is exactly the false positive i was speaking of... forum pages with 
discussions about crappydomain.com was one i was thinking... these mailing list 
posts are another very prominent example ;)

did you see my offering where we use content like you are and then include an 
anchor on the http host header without using the http_header option?

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: