[Snort-sigs] mods to curb false positive on x11 rules?
scheidell at ...249...
Fri Jun 7 05:21:03 EDT 2002
> How about changing the port on the "$EXTERNAL_NET" to exclude well known ports, seems to be where the majority of the false alerts comes from (for this rule and a lot of others).
> Not sure how this could be done, there doesn't seem to be a "greater than" operator for the ports although I guess it could be done with a range (something like 1025:65535 ?).
> Anybody know if there'd be any great performance impact doing this sort of thing?
might speed things up....
would be 1024:
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
More information about the Snort-sigs