[Snort-users] commenting out rules?
wucolin at ...2181...
Mon Jun 18 11:29:31 EDT 2001
A couple of possibilities come to mind:
1. There are actually two rules in web-misc.rules that match "directory
traveral", one unix flavour and one MS-DOS flavour. Did you comment out both?
2. You're commenting out the rules in the wrong file. Is the file you're
editing actually the file snort is using?
BTW, I hate losing information and commenting out a rule is losing information.
If someone does attack you and http directory traversal is involved in the
attack you'll never know if you don't at least log the traffic. What I tend to
do is change the 'alert' action to 'log' for any rules I think are generating
too many false positives. That way if I do need to see who's doing what at a
later date I still have the packet in the logs.
"Sheahan, Paul (PCLN-NW)" wrote:
> I am seeing a ton of "http directory traversals" appear in my snort logs
> which I have determined to be normal in my environment. So I commented out
> this rule in web-misc.rules. Then I killed and re-ran Snort. But it is still
> appearing in my alert log. I tried removing the line from web-misc.rules all
> together just be sure, and it still keeps appearing in the logs as a
> possible attack.
> What am I missing? How do I get Snort to stop checking for this attack and
> others like it?
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
__ _ _ Network Analyst
/ ) // ' ) / Computing & Information Services
/ __|/ o ____ / / / . . McMaster University
(__/ (_) \_<_/ / <_ (_(_/ (_/_ (905)525-9140 ext 24050
More information about the Snort-users