[Snort-sigs] mods to curb false positive on x11 rules?

Michael Scheidell scheidell at ...249...
Thu May 30 14:54:03 EDT 2002


> > -- 
> 
> Ah!  Firstly I had not realised Arachnids was back on the air,  Great!
> Secondly I too have been having regular problems with false +ves on X11
> rules of the nature of those described by Michael.  I too had wondered
> about explicitly checking for SYN+ACKs, but another approach that
> occurred to me was to use the new direction attribute (if I understand
> it correctly) to eliminate false +ve on *source* ports of 600x.  

assuming you are running 1.9x code ;-)

I am not.

-- 
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net/





More information about the Snort-sigs mailing list