Notes for Community rule 29456

[Jeremy Hoel <jthoel () gmail com>]

We had to add a few things to this rule to not alert on valid traffic.
I'm not sure if these should be in the rule, but they might help
someone else.

NetApps do pings to DC's with no data, so with James's help, we found
that dsize:>10; made those alerts go away.

DC's where talking to other DC's:
content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; depth:36;

And the "abcd...hi" was all upper case, and some devices send lower
case, so we added another !content with lowercase instead of using
'nocase' (to avoid maybe having something send via mixed case and get
by).

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!