[Snort-sigs] False positive sid:498

Frank Knobbe frank at ...1978...
Thu Mar 24 13:52:51 EST 2005


On Thu, 2005-03-24 at 15:40 -0600, Paul Schmehl wrote:
> The problem with this solution is that it requires a lot of maintenance 
> *and* documentation so that, when I get run over by a bus (or fired for 
> incompetence) my replacement will know *why* the suppression rules exist.

The documentation can be as simple as comments inline. That's how we do
it currently. We document why the rule is there with comments above and
behind it.

I'm entertaining the idea of moving to a CVS based setup to provide not
just the historical logs but audit trail on who added what.

There are solution to the documentation process, and you can pick which
ever fits you best. I think the important thing is realizing that you
need documentation in the first place :)

> Suppression rules are good for *some* things, but it becomes a tangled mess 
> if you try to solve *every* fp that way.

I have some suppression.conf files that have grown quite a bit. However,
with proper formatting and comments, I think it's usable. But feel free
to mix in some pass rules for host/ports based suppression to make
things easier.

> In general, yes, but what did you think of Mike's suggestion to use 
> flowbits to check for a server response?

I'm not sure if I like that idea. I think that's putting too much trust
on the flow-bit setting rule. If that breaks for some reason, all
dependent rules will fail too. (Then again, I haven't looked/thought
about this extensively... ymmv).

> Primarily because it doesn't scale well when you have to deal with class A 
> size networks and thousands of hosts.

Well, I wasn't implying to filter on *your* IP addresses. I don't think
the Internet based security outlets, or whatever is causing you grief,
will be in the thousands. If web traffic to Security focus is a problem,
filter based on their network (for example, 205.206.231.0/27 or such).
Work with the fixed targets on the Internet, not the moving targets in
your Class A. :)

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050324/90293796/attachment.sig>


More information about the Snort-sigs mailing list