[Snort-sigs] Disabling 2 rules

Eric Hines eric.hines at ...1663...
Tue Jul 13 09:40:10 EDT 2004


The web site design layout is done.. Im trying to find a decent menu script
for the menu :) I should be able to upload tonight.


-----Original Message-----
From: Matthew Jonkman [mailto:matt at ...2436...] 
Sent: Tuesday, July 13, 2004 10:28 AM
To: snort-sigs mailinglist
Subject: Re: [Snort-sigs] Disabling 2 rules

A good suggestion came off list. An incredibly obvious suggestion, thanks
for sending it in.

I've changed the source net for the binary rules to !$HOME_NET. I think
that'll make them more meaningful.

Those updates are on bleeding. Please let me know if they're effective.


Matthew Jonkman wrote:

> The binary download rules are great, they work well. It'll really give 
> you an idea of how many times a windows workstation pulls an 
> executable from somewhere. Login, etc.
> I'm disabling these 2 rules by default in the bleeding.rules:
> BLEEDING-EDGE PE EXE Install Windows file download BLEEDING-EDGE PE 
> EXE or DLL Windows file download
> They are accurate, they work well. But it's too many hits to be pertinent.
> I certainly don't want to dump those rules though. Anyone have an idea 
> of what to do with them to just show malicious info? Like only from 
> the Internet, etc?
> Matt

This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self
defense, top technical experts, no vendor pitches, unmatched networking
opportunities. Visit www.blackhat.com
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list