[Snort-sigs] proper metadata use?

JJ Cummings cummingsj at ...2420...
Tue Apr 27 20:04:06 EDT 2010


Will, certainly a valid concern....

Currently pulledpork does not set rules automatically to a "drop"  
state... But rather alert only... The user must specify to pulledpork  
what rules that they want to set as drop, using the dropsid  
configuration option...

HTH
JJC

Sent from the iRoad

On Apr 27, 2010, at 17:37, Will Metcalf <william.metcalf at ...2420...>  
wrote:

> Is the metadata policy for all of these rules correct?  If people
> start using pulled-pork for policy drop stuff... or maybe I'm
> mis-understanding the meaning of this metadata tag.
>
> grep "security-ips drop" *.rules | grep "flowbits\:\s*noalert"
>
> Looks like it would end up in a lot of traffic that is being used for
> protocol decode.  It is generally a bad idea to mix drop and
> flowbits:noalert as valid traffic ends up getting dropped and the
> users have no idea why.  Just my 2 cents....
>
> Regards,
>
> Will
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list