Snort mailing list archives
proper metadata use?
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 27 Apr 2010 18:37:11 -0500
Is the metadata policy for all of these rules correct? If people start using pulled-pork for policy drop stuff... or maybe I'm mis-understanding the meaning of this metadata tag. grep "security-ips drop" *.rules | grep "flowbits\:\s*noalert" Looks like it would end up in a lot of traffic that is being used for protocol decode. It is generally a bad idea to mix drop and flowbits:noalert as valid traffic ends up getting dropped and the users have no idea why. Just my 2 cents.... Regards, Will ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- proper metadata use? Will Metcalf (Apr 27)
- Re: proper metadata use? JJ Cummings (Apr 27)
- Re: proper metadata use? Will Metcalf (Apr 28)
- Re: proper metadata use? JJ Cummings (Apr 27)