[Snort-sigs] Re: More about shell code rules
r.fulton at ...575...
Mon Nov 17 14:25:02 EST 2003
On Tue, 2003-11-18 at 10:52, Brian wrote:
> > I was not actually complaining about the volume of alerts and although
> > it would be nice to be able to limit the number of identical alerts I
> > don't think that is really snort's job. That can be handled by post
> > processing. (another field in Acid for number of identical alerts?)
> thresholding does this.
> threshold gen_id 1, sig_id 1424, type limit, track by_src, count 1, seconds 60
Thanks, I'll look into this, I'm out of touch with the recent
developments in snort, sigh... I must get myself back on the
> > What do other feel about the shellcode rules?
> I'm not thrilled with the idea of shellcode rules for years. As we go
> forward I'm moving more and more away from writing rules that are
> hardcoded to a specific shellcode.
I agree in principle, but I still find generic shell code detects useful
in conjunction with other alerts. With so many exposed machines I often
see attacks probes against 100+ systems, when I pull all alerts
associated with that source address I see 10 destinations that have
shell code detects too then I know which machines I need to take a
second look at.
> > Brian: I am happy to send in my amended copies of the rules for you to
> > add into the distribution.
> Nah, I know whats wrong and can modify rules without help, thanks
> though. :P
Would you please :)
BTW I did not mean to cast aspersions on your ability to make simple
changes to rules ;) just thought I might save you a few minutes work
with an editor.
Russell Fulton, Network Security Officer, The University of Auckland,
More information about the Snort-sigs