[Snort-sigs] What do the commented-out rules mean?

evilghost at ...3397... evilghost at ...3397...
Tue Dec 1 21:48:53 EST 2009


Matt/Joel, I could be wrong but I seem to recall a few new signatures in 
the VRT release being commented-out by default, but listed in the change 
log as new additions.  Sadly, I cannot give you an exact release but I 
do distinctly recall this situation.  Was this intentional, and if so, 
would it be possible to get a designator in the change log to indicate 
it's disabled by default?  If unintentional, no harm, I just wasn't sure 
if this was common/expected or not and if VRT releases may include 
signatures that are disabled by default.

Thanks

-evilghost

Matt Olney wrote:
> Joel is right.
>
> We turn rules off for several reasons:
>
> Preprocessors render them irrelevant
> Performance impact too high in relation to the threat
> False positives too high in relation to the threat
> The rule covers an obsolete vuln, and should only be used by people 
> trapped by old tech.
>
> Hope that helps,
>
> Matt
>
> Sent from my iPhone
>
> On Dec 1, 2009, at 8:29 PM, Joel Esler <jesler at ...435...> wrote:
>
>> On Tue, Dec 1, 2009 at 7:15 PM, 林闻捷 <wendyfermilin at ...2420...> wrote:
>> Hi, all
>>
>> I analyze the web-activex rules in both 2.7 and 2.8 version. There 
>> are lots of rules commented out (more than half). So do many other 
>> files. What do commented-out rules mean? Are they bad rules, or as a 
>> backup for special usage? Thank you very much!
>>
>>
>> It means they are off by default.  You can choose to turn them on, if 
>> they apply to your environment.
>>
>>
>>
>>
>> -- 
>> Joel Esler | 302-223-5974 | Gtalk: jesler at ...435...
>> ------------------------------------------------------------------------------ 
>>
>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>> a free event focused on virtualization and cloud computing.
>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>> http://p.sf.net/sfu/redhat-sfdev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing. 
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>   




More information about the Snort-sigs mailing list