Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Trying to understand file.exe flowbit

From: Bobby Hinzman <rhinzm826 () gmail com>
Date: Fri, 11 Jan 2013 14:25:25 -0500
Hello,

I'm currently running Snort 2.9.3.1 with Pulledpork to manage rules, have
an active Subscriber subscription to VRT rules, and am running a 'balanced'
policy with a number of rules enabled and disabled in PP.

My problem is that currently sid 15306 is about 43% of my total generated
alerts and I'd like to turn it off. However, 15306 sets the file.exe
flowbit. Looking through the rules I noticed a number of other sids also
set file.exe (including 11192, 16313, 16425, 21908, 21909, and 23725 but I
may have missed a few others). If any of those other rules set file.exe do
I still need 15306 to be enabled for all of the rules that check for the
file.exe flowbit?

Thanks!

Bobby

------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: