[Snort-sigs] What do the commented-out rules mean?

Matt Olney molney at ...435...
Tue Dec 1 20:41:07 EST 2009


Joel is right.

We turn rules off for several reasons:

Preprocessors render them irrelevant
Performance impact too high in relation to the threat
False positives too high in relation to the threat
The rule covers an obsolete vuln, and should only be used by people  
trapped by old tech.

Hope that helps,

Matt

Sent from my iPhone

On Dec 1, 2009, at 8:29 PM, Joel Esler <jesler at ...435...> wrote:

> On Tue, Dec 1, 2009 at 7:15 PM, 林闻捷 <wendyfermilin at ...2420...>  
> wrote:
> Hi, all
>
> I analyze the web-activex rules in both 2.7 and 2.8 version. There  
> are lots of rules commented out (more than half). So do many other  
> files. What do commented-out rules mean? Are they bad rules, or as a  
> backup for special usage? Thank you very much!
>
>
> It means they are off by default.  You can choose to turn them on,  
> if they apply to your environment.
>
>
>
>
> --
> Joel Esler | 302-223-5974 | Gtalk: jesler at ...435...
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091201/cdf5939d/attachment.html>


More information about the Snort-sigs mailing list