[Snort-sigs] Parasite Rules
matt at ...2436...
Wed Jul 28 08:20:40 EDT 2004
We've made some significant changes to the parasite rules put up
yesterday. They've been changed to tcp only, and are using flow now. We
hope that'll reduce the number of alerts to more meaningful numbers.
Those changes are up now.
With this new ruleset please let us know about falses. I'm seeing a
number of just ads being served up from a couple of these nets, the
BargainBuddy rule in particular. Looking for ideas on how to eliminate
that, or justify not using the rule if spyware isn't reporting there
I definitely have identified new pc's infected with otherwise undetected
spyware with these. They're definitely worth running. Even see a couple
that appear to be reporting via https. Traffic is coming out when the
computer is idle, no browser open, etc. Definitely something covert.
Please let us know about nets that are giving you falses and we'll get
them tweaked or disabled. And anyone that knows about new nets please
send them in.
The current rules are on bleedingsnort.com
More information about the Snort-sigs