[Snort-sigs] False positive - sid 1365
pauls at ...1311...
Tue Mar 22 08:49:31 EST 2005
--On Monday, March 21, 2005 07:29:41 PM -0500 Ofer Shezaf
<Ofer.Shezaf at ...2971...> wrote:
> Write code better; Configure the server better; use application layer
> security tools; but don't try to catch application layer issues such as
> command or SQL injection with Snort.
It's not my job to write code, although I do a fair bit of it. It's not my
job to configure servers, although I do a lot of server configuration.
*I'm* not *trying* to "catch" application layer issues with snort. I'm
simply reporting a false positive.
That *is*, after all, what the community is *supposed* to do. Frankly, I
could care less if the rule gets "fixed" or not. I've already configured
sguil to ignore that rule for that host. It *is* my job to interpret the
data that I'm seeing, from the various devices I use to gather data, and
decide what is a legitimate threat to *our* network and hosts and what is
merely background noise.
I was simply reporting a false positive, which I *think* may be helpful to
the developers of snort - whose job it *is* to write better code. If *you*
think that snort shouldn't be trying to "catch" application layer issues,
then complain to the snort development team that they're venturing into
areas they should not be venturing into. It was not *me* that decided to
write this particular rule or to include it in the snort rulebase.
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-sigs