[Snort-sigs] Suggestion to cut down on FP for generic overflow rules

Russell Fulton r.fulton at ...575...
Thu May 13 14:44:09 EDT 2004

On Fri, 2004-05-14 at 03:55, Brian wrote:

> Banners become a nightmare to maintain.  I'd rather not do that if we
> can avoid it.  
> If your mail server allows different folder depths, modify those
> specific rules.

This then becomes a "nightmare to maintain" for us :)

I was under the impression that most of these rules were generic detects
not targeted at specific specific implementations.  The comments in the
rules write up suggest this.

Hmmm... At CanSecWest Marty spoke about using passive monitoring of
network traffic (I forget what Sourcefire call the product) to get just
this sort of information which is then used to post process alerts.  So
you only get IIS alerts for machines that are actually running IIS and
not Apache.

Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!

More information about the Snort-sigs mailing list