[Snort-sigs] mods to curb false positive on x11 rules?

Michael Scheidell scheidell at ...249...
Fri Jun 7 05:21:03 EDT 2002


> 
> How about changing  the port on the "$EXTERNAL_NET" to exclude well known ports, seems to be where the majority of the false alerts comes from (for this rule and a lot of others).
> 
> Not sure how this could be done, there doesn't seem to be a "greater than" operator for the ports although I guess it could be done with a range (something like 1025:65535 ?).
> 
> Anybody know if there'd be any great performance impact doing this sort of thing?

might speed things up....
would be 1024:

-- 
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net/





More information about the Snort-sigs mailing list