[Snort-sigs] proper metadata use?
william.metcalf at ...2420...
Tue Apr 27 19:37:11 EDT 2010
Is the metadata policy for all of these rules correct? If people
start using pulled-pork for policy drop stuff... or maybe I'm
mis-understanding the meaning of this metadata tag.
grep "security-ips drop" *.rules | grep "flowbits\:\s*noalert"
Looks like it would end up in a lot of traffic that is being used for
protocol decode. It is generally a bad idea to mix drop and
flowbits:noalert as valid traffic ends up getting dropped and the
users have no idea why. Just my 2 cents....
More information about the Snort-sigs