Snort mailing list archives
Re: What do the commented-out rules mean?
From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Tue, 1 Dec 2009 20:48:53 -0600
Matt/Joel, I could be wrong but I seem to recall a few new signatures in the VRT release being commented-out by default, but listed in the change log as new additions. Sadly, I cannot give you an exact release but I do distinctly recall this situation. Was this intentional, and if so, would it be possible to get a designator in the change log to indicate it's disabled by default? If unintentional, no harm, I just wasn't sure if this was common/expected or not and if VRT releases may include signatures that are disabled by default. Thanks -evilghost Matt Olney wrote:
Joel is right. We turn rules off for several reasons: Preprocessors render them irrelevant Performance impact too high in relation to the threat False positives too high in relation to the threat The rule covers an obsolete vuln, and should only be used by people trapped by old tech. Hope that helps, Matt Sent from my iPhone On Dec 1, 2009, at 8:29 PM, Joel Esler <jesler () sourcefire com> wrote:On Tue, Dec 1, 2009 at 7:15 PM, 林闻捷 <wendyfermilin () gmail com> wrote: Hi, all I analyze the web-activex rules in both 2.7 and 2.8 version. There are lots of rules commented out (more than half). So do many other files. What do commented-out rules mean? Are they bad rules, or as a backup for special usage? Thank you very much! It means they are off by default. You can choose to turn them on, if they apply to your environment. -- Joel Esler | 302-223-5974 | Gtalk: jesler () sourcefire com ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------ ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev ------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- What do the commented-out rules mean? 林闻捷 (Dec 01)
- Re: What do the commented-out rules mean? Joel Esler (Dec 01)
- Re: What do the commented-out rules mean? Matt Olney (Dec 01)
- Re: What do the commented-out rules mean? evilghost () packetmail net (Dec 01)
- Re: What do the commented-out rules mean? Matt Olney (Dec 01)
- Re: What do the commented-out rules mean? evilghost () packetmail net (Dec 01)
- Re: What do the commented-out rules mean? Matt Olney (Dec 01)
- Re: What do the commented-out rules mean? Joel Esler (Dec 01)