[Snort-sigs] mods to curb false positive on x11 rules?

paul.chillman at ...623... paul.chillman at ...623...
Fri Jun 7 06:09:02 EDT 2002

> How about changing  the port on the "$EXTERNAL_NET" to exclude well known
ports, seems to be where the majority of the false alerts comes from (for
this rule and a lot of others).

Ever had one of those days......

Before anybody mentions it I should have said that it'd only be safe to
limit port ranges on the internal network since for the most part "they" can
pick whatever port they want.


More information about the Snort-sigs mailing list