[Snort-sigs] False positive - sid 1365

Paul Schmehl pauls at ...1311...
Tue Mar 22 08:49:31 EST 2005

--On Monday, March 21, 2005 07:29:41 PM -0500 Ofer Shezaf 
<Ofer.Shezaf at ...2971...> wrote:
> So?
> Write code better; Configure the server better; use application layer
> security tools; but don't try to catch application layer issues such as
> command or SQL injection with Snort.

It's not my job to write code, although I do a fair bit of it.  It's not my 
job to configure servers, although I do a lot of server configuration. 
*I'm* not *trying* to "catch" application layer issues with snort.  I'm 
simply reporting a false positive.

That *is*, after all, what the community is *supposed* to do.  Frankly, I 
could care less if the rule gets "fixed" or not.  I've already configured 
sguil to ignore that rule for that host.  It *is* my job to interpret the 
data that I'm seeing, from the various devices I use to gather data, and 
decide what is a legitimate threat to *our* network and hosts and what is 
merely background noise.

I was simply reporting a false positive, which I *think* may be helpful to 
the developers of snort - whose job it *is* to write better code.  If *you* 
think that snort shouldn't be trying to "catch" application layer issues, 
then complain to the snort development team that they're venturing into 
areas they should not be venturing into.  It was not *me* that decided to 
write this particular rule or to include it in the snort rulebase.


Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list