[Snort-sigs] Disabling 2 rules

Matthew Jonkman matt at ...2436...
Tue Jul 13 08:29:03 EDT 2004


A good suggestion came off list. An incredibly obvious suggestion, 
thanks for sending it in.

I've changed the source net for the binary rules to !$HOME_NET. I think 
that'll make them more meaningful.

Those updates are on bleeding. Please let me know if they're effective.

Matt

Matthew Jonkman wrote:

> The binary download rules are great, they work well. It'll really give 
> you an idea of how many times a windows workstation pulls an executable 
> from somewhere. Login, etc.
> 
> I'm disabling these 2 rules by default in the bleeding.rules:
> 
> BLEEDING-EDGE PE EXE Install Windows file download
> BLEEDING-EDGE PE EXE or DLL Windows file download
> 
> They are accurate, they work well. But it's too many hits to be pertinent.
> 
> I certainly don't want to dump those rules though. Anyone have an idea 
> of what to do with them to just show malicious info? Like only from the 
> Internet, etc?
> 
> Matt




More information about the Snort-sigs mailing list