[Snort-sigs] Suggestion to cut down on FP for generic overflow rules

Russell Fulton r.fulton at ...575...
Wed May 12 22:26:00 EDT 2004


Hi,
	We see lots of FPs on rules that check things like IMAP and FTP paths. 
The most of these rules seem to be set at 100 and we have many
legitimate cases where this is exceeded.

I was wondering if it would be worth parameterising these rules with a
$FTP_PATH_LEN and an IMAP_FOLDER_LEN which gets set along with all the
other configurable stuff in snort.conf?

I'm happy to sort through and send in the diffs.

-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!






More information about the Snort-sigs mailing list