[Snort-sigs] Flowbits updates

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Tue May 18 09:31:11 EDT 2004


I'm interested in spending some time updating rules with flowbits to
help eliminate false positives.  What type of interest is there in the
community for this type of thing?

I've been playing around with it for a short while and am liking it.
I'd also be curious how most people would want it to work.

I suppose there are many ways, and likely many different reasons for
each rule to do any of the method available.  If anyone out there would
like to submit a list of your most hit false positives to this list,
I'll see what I can do to make them less false using flowbits.   I'm
hoping for this to benefit many things I'm attempting [correlation].




More information about the Snort-sigs mailing list