Snort mailing list archives
Re: Fwd: Snort catching backup as alert?
From: Joel Esler <jesler () sourcefire com>
Date: Sun, 25 Aug 2013 08:40:48 -0400
The best way to use these rules, is to turn them on has "indicators". These rules can be turned on alongside of other rules. -- Joel Esler
On Aug 24, 2013, at 8:45 PM, waldo kitty <wkitty42 () windstream net> wrote:On 8/19/2013 12:26, Alexandre Carmel-Veilleux wrote: Hi, The shellcode detector is a frequent source of false positives. It's basically only matching strings of letters / characters that frequently happen in shellcodes in any network packet. Most of the better exploitation tools out there can randomize their shell codes avoiding this rule altogether. This is basically designed to catch very low hanging fruits (like some bad automated scanners). You can reduce the impact by making sure both your servers are in $HOME_NET's IP range. Possibly encrypting the backups you do will modify the character signature enough as well. Otherwise, be somewhat skeptical of that alert.agreed completely! :) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Snort catching backup as alert? William Rehnquyst (Aug 19)
- Re: Fwd: Snort catching backup as alert? Jefferson, Shawn (Aug 19)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 19)
- Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 22)
- Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
- Re: Fwd: Snort catching backup as alert? Alexandre Carmel-Veilleux (Aug 24)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)
- Re: Fwd: Snort catching backup as alert? Joel Esler (Aug 25)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)