Re: How's best to alert on Web connections that *don't* contain particular content?

[Frank Knobbe <fknobbe () knobbeits com>]

On Tue, 2003-02-25 at 16:18, Jason Haar wrote:
> Yeah - but the problem with those sorts of rules is that you end up skipping
> the rest of the IDS rules too. This rule needs to be at the top so that it
> triggers before any "normal" rule can get at it. (that's because any match
> is a "pagable" event vs just a standard alert: you should know you're
> compromised if one of these trigger).

I think PASSing them with Trendmicro's IP address in the pass rule seems
very reasonable since you still analyze everything else. I would
tweak/pass it as part of the tuning process. Let the alert fire and
check the details (like IP address for Trend's servers) and construct
your pass rules with that.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part