3 questions on rules

[Garrett.Allen () ser com]

making haste slowly with snort.  getting tons (u.s., not metric) of alerts.
so trying to winnow out the chaff.
presently have a snort 2.0.0 (build 72) install running on a rh 8 linux
distribution, upgraded from snort 1.9.1.

1. looking at the snort signature db i see that for sid 2102, netbios smb
smb_com_transaction max data count of 0 dos attempt, the summary section
states "this rule has been deprecated due to an inordinately large number of
false positives."  in the netbios.rules, however, i see still see the rule
so either 1. i have the wrong rules or 2. i should remove it as it is
deprecated and generating a lot of unneeded alarms.  i haven't approached
rule writing so is there a good howto available if i need to go this route
(or is it as simple as deleting the appropriate lines).

2. is there a way to determine the version of rules that are in use.  i
checked a couple of files and didn't see anything that would indicate a
version.

3. i checked the snort signature database but did not see an explanation for
p2p gnutella get.  it has a low severity but again i get tons of them.  any
help on understanding this would be appreciated.

thanks in advance for your reply.



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users