[Snort-users] About new rules...

Phil Wood cpw at ...440...
Wed Jan 24 14:39:54 EST 2001

On Wed, Jan 24, 2001 at 07:10:12PM +0100, Guillaume wrote:
> Hi all !
> I just loaded the new rulesets and since I reran snort and feed it with that new
> sets, i see a HUGE number of attacks !
> Did I miss something ?

You should look the new rulesets over carefully.  There
are a number of rules (lots) which are more informational.
Like every ICMP packet known to man.  Then there are
some suspect rules which will trigger a lot of false positives.

You have to ask questions, like: "Do I care that someone is
sending me icmp echo requests?"  As for the scary ones, you
have to look at the contents and decide if it's worth waiting
for the Big one.  Or, better if you can make the rule more
selective.  You can use the -o option in concert with a pass
rule or 100, to ignore specific trigger packets which you just KNOW
are false.

> Thanks.
> Guillaume.
> Background : using snort 1.7 for couple of days now and did have that kind of
> results untill now.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list