[Snort-sigs] proper metadata use?

Will Metcalf william.metcalf at ...2420...
Tue Apr 27 19:37:11 EDT 2010


Is the metadata policy for all of these rules correct?  If people
start using pulled-pork for policy drop stuff... or maybe I'm
mis-understanding the meaning of this metadata tag.

grep "security-ips drop" *.rules | grep "flowbits\:\s*noalert"

Looks like it would end up in a lot of traffic that is being used for
protocol decode.  It is generally a bad idea to mix drop and
flowbits:noalert as valid traffic ends up getting dropped and the
users have no idea why.  Just my 2 cents....

Regards,

Will




More information about the Snort-sigs mailing list