[Snort-users] commenting out rules?

Colin Wu wucolin at ...2181...
Mon Jun 18 11:29:31 EDT 2001

A couple of possibilities come to mind:
1. There are actually two rules in web-misc.rules that match "directory
traveral", one unix flavour and one MS-DOS flavour.  Did you comment out both?
2. You're commenting out the rules in the wrong file.  Is the file you're
editing actually the file snort is using?

BTW, I hate losing information and commenting out a rule is losing information.
If someone does attack you and http directory traversal is involved in the
attack you'll never know if you don't at least log the traffic.  What I tend to
do is change the 'alert' action to 'log' for any rules I think are generating
too many false positives.  That way if I do need to see who's doing what at a
later date I still have the packet in the logs.

My $0.02.

"Sheahan, Paul (PCLN-NW)" wrote:

> I am seeing a ton of "http directory traversals" appear in my snort logs
> which I have determined to be normal in my environment. So I commented out
> this rule in web-misc.rules. Then I killed and re-ran Snort. But it is still
> appearing in my alert log. I tried removing the line from web-misc.rules all
> together just be sure, and it still keeps appearing in the logs as a
> possible attack.
> What am I missing? How do I get Snort to stop checking for this attack and
> others like it?
> Thanks!
> Paul
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


   __     _             _            Network Analyst
  /  )   //            ' )   /       Computing & Information Services
 /    __|/  o ____      / / / . .    McMaster University
(__/ (_) \_<_/ / <_    (_(_/ (_/_    (905)525-9140 ext 24050

More information about the Snort-users mailing list