[Snort-sigs] mods to curb false positive on x11 rules?

Michael Scheidell scheidell at ...249...
Fri Jun 7 05:21:03 EDT 2002

> How about changing  the port on the "$EXTERNAL_NET" to exclude well known ports, seems to be where the majority of the false alerts comes from (for this rule and a lot of others).
> Not sure how this could be done, there doesn't seem to be a "greater than" operator for the ports although I guess it could be done with a range (something like 1025:65535 ?).
> Anybody know if there'd be any great performance impact doing this sort of thing?

might speed things up....
would be 1024:

Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...

More information about the Snort-sigs mailing list