Snort mailing list archives
Re: proper metadata use?
From: JJ Cummings <cummingsj () gmail com>
Date: Tue, 27 Apr 2010 18:04:06 -0600
Will, certainly a valid concern.... Currently pulledpork does not set rules automatically to a "drop" state... But rather alert only... The user must specify to pulledpork what rules that they want to set as drop, using the dropsid configuration option... HTH JJC Sent from the iRoad On Apr 27, 2010, at 17:37, Will Metcalf <william.metcalf () gmail com> wrote:
Is the metadata policy for all of these rules correct? If people start using pulled-pork for policy drop stuff... or maybe I'm mis-understanding the meaning of this metadata tag. grep "security-ips drop" *.rules | grep "flowbits\:\s*noalert" Looks like it would end up in a lot of traffic that is being used for protocol decode. It is generally a bad idea to mix drop and flowbits:noalert as valid traffic ends up getting dropped and the users have no idea why. Just my 2 cents.... Regards, Will --- --- --- --------------------------------------------------------------------- _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- proper metadata use? Will Metcalf (Apr 27)
- Re: proper metadata use? JJ Cummings (Apr 27)
- Re: proper metadata use? Will Metcalf (Apr 28)
- Re: proper metadata use? JJ Cummings (Apr 27)