Re: Trying to understand file.exe flowbit

[Joel Esler <jesler () sourcefire com>]

On Jan 11, 2013, at 2:25 PM, Bobby Hinzman <rhinzm826 () gmail com> wrote:

> Hello,
>
> I'm currently running Snort 2.9.3.1 with Pulledpork to manage rules, have an active Subscriber subscription to VRT 
> rules, and am running a 'balanced' policy with a number of rules enabled and disabled in PP.
>
> My problem is that currently sid 15306 is about 43% of my total generated alerts and I'd like to turn it off. 
> However, 15306 sets the file.exe flowbit. Looking through the rules I noticed a number of other sids also set 
> file.exe (including 11192, 16313, 16425, 21908, 21909, and 23725 but I may have missed a few others). If any of those 
> other rules set file.exe do I still need 15306 to be enabled for all of the rules that check for the file.exe flowbit?

Bobby,

I'd suggest leaving it enabled.  You can suppress the events, I believe you will find what you are looking for here: 
http://manual.snort.org/node206.html

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!