Snort mailing list archives
Re: Re: pif worm
From: "Jim Forster" <jforster () rapidnet com>
Date: Thu, 23 Aug 2001 08:22:02 -0600
I had this (and other high false rules) in the rulesets that were posted on the old Snort.org site. Although they are prone to high falses, it doesn't take much to view the log to tell if it is a false or not. Overall, I was able to stop the spread of quite a few worms with this generic rule, so I felt it was worth keeping in the set. (That and we only had 4 systems with AntiVirus software on them, so a quick catch was VERY important.) :) There are actually a number of 'info only' rules which are much like this one, which I still use today. It's up to the end user to alter the rulebase enough to generate a minimal number of false alarms, or the ability to catch things (including falses) which might not have a specific rule built yet. Just my .02.... ----- Original Message ----- From: "James Friesen" <lucretia () telusplanet net> To: "Caswell,Brian M." <bmc () mitre org> Cc: "Snort-Users@Lists. Sourceforge. Net" <snort-users () lists sourceforge net> Sent: Thursday, August 23, 2001 7:22 AM Subject: RE: [Snort-users] Re: pif worm
Not in my virus.rules file... Perhaps there are multiple rulesets floating around...:> -----Original Message----- :> > These dumb email messages with PIF or SCR in the title are :> causing a LOT of false alarms here. :> :> These rules are disabled by default on purpose. :> :> CUT-N-PASTE from virus.rules :> :> # NOTE: These rules are NOT being actively maintained. If you would :> like :> # to update these rules, e-mail snort-sigs () lists sourceforge net :>_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- pif worm Bastian Ballmann (Aug 22)
- <Possible follow-ups>
- Re: pif worm Mike Klinke (Aug 22)
- RE: Re: pif worm James Friesen (Aug 23)
- Re: Re: pif worm Brian Caswell (Aug 23)
- RE: Re: pif worm James Friesen (Aug 23)
- Re: Re: pif worm Jim Forster (Aug 23)
- RE: Re: pif worm James Friesen (Aug 23)