Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: commenting out rules?

From: Colin Wu <wucolin () mcmaster ca>
Date: Mon, 18 Jun 2001 11:29:31 -0400
A couple of possibilities come to mind:
1. There are actually two rules in web-misc.rules that match "directory
traveral", one unix flavour and one MS-DOS flavour.  Did you comment out both?
2. You're commenting out the rules in the wrong file.  Is the file you're
editing actually the file snort is using?

BTW, I hate losing information and commenting out a rule is losing information.
If someone does attack you and http directory traversal is involved in the
attack you'll never know if you don't at least log the traffic.  What I tend to
do is change the 'alert' action to 'log' for any rules I think are generating
too many false positives.  That way if I do need to see who's doing what at a
later date I still have the packet in the logs.

My $0.02.

"Sheahan, Paul (PCLN-NW)" wrote:


I am seeing a ton of "http directory traversals" appear in my snort logs
which I have determined to be normal in my environment. So I commented out
this rule in web-misc.rules. Then I killed and re-ran Snort. But it is still
appearing in my alert log. I tried removing the line from web-misc.rules all
together just be sure, and it still keeps appearing in the logs as a
possible attack.

What am I missing? How do I get Snort to stop checking for this attack and
others like it?

Thanks!
Paul

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--

   __     _             _            Network Analyst
  /  )   //            ' )   /       Computing & Information Services
 /    __|/  o ____      / / / . .    McMaster University
(__/ (_) \_<_/ / <_    (_(_/ (_/_    (905)525-9140 ext 24050
                                     http://netman.McMaster.CA



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: