Home page logo

snort logo Snort mailing list archives

Re: 1:17239 False Positive
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 12 Oct 2010 16:11:02 -0400

On Oct 12, 2010, at 3:57 PM, waldo kitty wrote:
On 10/12/2010 15:42, Joel Esler wrote:
Right, that's the general rule of thumb, however, this rule was updated in today's rulepack.


On Oct 12, 2010, at 12:21 PM, Christopher A. Libby wrote:

My initial guess would be disable this rule if you aren't using the product  [...]

"the general rule of thumb" depends on which side of the fence one is standing 
and operating on...

on my side of the fence, if there is some bad traffic, i want to know about 
it... just because i'm not using a particular product doesn't mean that i'm 
willing to let that abusive traffic and those abusive IPs access my 
network(s)... if some IP is beating on my network with traffic attempting to 
compromise a package that i'm not running, they are obviously up to no good and 
they are quite unwelcome in my network(s)... as such they are unceremoniously 
blocked with all due prejudice available...

this is especially true with web-base traffic... just because i'm not running a 
CMS doesn't mean that i'm going to allow my server(s) and application(s) be beat 
on with traffic that is attempting to violate any CMS product... why should i 
allow all that traffic on my network(s)? why should i subject my server(s) and 
app(s) to that kind of beating? thank but no thanks...

That's certainly one way of looking at it, and depending on the environment, I agree that might be interesting.  But 
for people who are just trying to understand the alerts in their environment, turning off rules for software they don't 
run may be a viable tuning step.


Joel Esler

Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]