[Snort-sigs] Disabling 2 rules

Matthew Jonkman matt at ...2436...
Tue Jul 13 07:21:32 EDT 2004

The binary download rules are great, they work well. It'll really give 
you an idea of how many times a windows workstation pulls an executable 
from somewhere. Login, etc.

I'm disabling these 2 rules by default in the bleeding.rules:

BLEEDING-EDGE PE EXE Install Windows file download
BLEEDING-EDGE PE EXE or DLL Windows file download

They are accurate, they work well. But it's too many hits to be pertinent.

I certainly don't want to dump those rules though. Anyone have an idea 
of what to do with them to just show malicious info? Like only from the 
Internet, etc?


More information about the Snort-sigs mailing list