Snort mailing list archives
Re: 1:17239 False Positive
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 12 Oct 2010 16:11:02 -0400
On Oct 12, 2010, at 3:57 PM, waldo kitty wrote:
On 10/12/2010 15:42, Joel Esler wrote:Right, that's the general rule of thumb, however, this rule was updated in today's rulepack. Joel On Oct 12, 2010, at 12:21 PM, Christopher A. Libby wrote:My initial guess would be disable this rule if you aren't using the product [...]"the general rule of thumb" depends on which side of the fence one is standing and operating on... on my side of the fence, if there is some bad traffic, i want to know about it... just because i'm not using a particular product doesn't mean that i'm willing to let that abusive traffic and those abusive IPs access my network(s)... if some IP is beating on my network with traffic attempting to compromise a package that i'm not running, they are obviously up to no good and they are quite unwelcome in my network(s)... as such they are unceremoniously blocked with all due prejudice available... this is especially true with web-base traffic... just because i'm not running a CMS doesn't mean that i'm going to allow my server(s) and application(s) be beat on with traffic that is attempting to violate any CMS product... why should i allow all that traffic on my network(s)? why should i subject my server(s) and app(s) to that kind of beating? thank but no thanks...
That's certainly one way of looking at it, and depending on the environment, I agree that might be interesting. But for people who are just trying to understand the alerts in their environment, turning off rules for software they don't run may be a viable tuning step. J -- Joel Esler 302-223-5974 ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 1:17239 False Positive Christopher A. Libby (Oct 12)
- Re: 1:17239 False Positive James Lay (Oct 12)
- Re: 1:17239 False Positive Christopher A. Libby (Oct 12)
- Re: 1:17239 False Positive Joel Esler (Oct 12)
- Re: 1:17239 False Positive waldo kitty (Oct 12)
- Re: 1:17239 False Positive Joel Esler (Oct 12)
- Re: 1:17239 False Positive Christopher A. Libby (Oct 12)
- Re: 1:17239 False Positive James Lay (Oct 12)