Snort mailing list archives

RE: Using Snort & DB to remove false alarms

From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Wed, 7 Apr 2004 10:05:01 -0500

A return page on a FILE_NOT_FOUND (404) also returns the 404 code in the
header, along with the page. 

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar () trimble co nz] 
Sent: Tuesday, April 06, 2004 6:32 PM
To: Snort Users
Subject: RE: [Snort-users] Using Snort & DB to remove false alarms

On Wed, 2004-04-07 at 03:51, Kreimendahl, Chad J wrote:

Maybe a better idea for this would be to use tagging of some sort and
have another rule that if it matches 404 on the first return packet...
does not alert.   The problem with this is that you'd not be able to


I think this is an excellent idea - but it's a wheel that shouldn't be
re-invented.

Nessus had exactly this issue to contend with, so all that can be stolen
should be from it to do it right.

e.g. Don't expect a "404" error. A lot of people put up "error pages" to
be returned when a bad page is asked for. IIS (can) returns them as
"200" instead of "40x"... Don't ask me why... Anyway, Nessus has code to
work around those kinds of monstrosities.


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Using Snort & DB to remove false alarms Sean Wheeler (Apr 06)
- Re: Using Snort & DB to remove false alarms Michael Boman (Apr 07)
- <Possible follow-ups>
- RE: Using Snort & DB to remove false alarms Kreimendahl, Chad J (Apr 06)
  - RE: Using Snort & DB to remove false alarms Jason Haar (Apr 06)
    - Re: Using Snort & DB to remove false alarms Brian (Apr 06)
    - Re: Using Snort & DB to remove false alarms Jason Haar (Apr 06)
- RE: Using Snort & DB to remove false alarms Kreimendahl, Chad J (Apr 07)
- RE: Using Snort & DB to remove false alarms Kreimendahl, Chad J (Apr 08)