[Snort-sigs] Disabling 2 rules

Matthew Jonkman matt at ...2436...
Tue Jul 13 07:21:32 EDT 2004


The binary download rules are great, they work well. It'll really give 
you an idea of how many times a windows workstation pulls an executable 
from somewhere. Login, etc.

I'm disabling these 2 rules by default in the bleeding.rules:

BLEEDING-EDGE PE EXE Install Windows file download
BLEEDING-EDGE PE EXE or DLL Windows file download

They are accurate, they work well. But it's too many hits to be pertinent.

I certainly don't want to dump those rules though. Anyone have an idea 
of what to do with them to just show malicious info? Like only from the 
Internet, etc?

Matt
-- 




More information about the Snort-sigs mailing list