Re: 3 questions on rules

[Brian <bmc () snort org>]

On Thu, May 15, 2003 at 01:44:16PM -0400, Erek Adams wrote:
> On Thu, 15 May 2003 Garrett.Allen () ser com wrote:
> > 1. looking at the snort signature db i see that for sid 2102, netbios smb
> > smb_com_transaction max data count of 0 dos attempt, the summary section
> > states "this rule has been deprecated due to an inordinately large number of
> > false positives."  in the netbios.rules, however, i see still see the rule
> > so either 1. i have the wrong rules or 2. i should remove it as it is
> > deprecated and generating a lot of unneeded alarms.  i haven't approached
> > rule writing so is there a good howto available if i need to go this route
> > (or is it as simple as deleting the appropriate lines).
>
> You don't have the wrong rules.  That rule is enabled in the default
> ruleset.  Yes, it does say 'deprecated', but I don't know if it should be
> removed or what.  That would be one for our Benevolent Rule Nazi, Brian.
> :)

It has been deprecated.  You need to update your ruleset.  If you
track our rule changes, you would see that one of the changes I made
was to move it to deleted.rules.

max data count of 0 happens quite a bit on real networks. 

-brian


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users