[Snort-users] Configuring False positives
erek at ...577...
Fri Nov 23 11:54:02 EST 2001
On Fri, 23 Nov 2001, Tom Sevy wrote:
> I have found that when I do this, then another rule catches it and
Right! ;-) That's part of the fun, the easter egg hunt in the rules! You'll
have 2 or 3 IIRC you want to 'disable'. Now, disabling is the rules are nice,
but there's something else you can do....
If you have Apache, setup something like this:
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
RedirectMatch (.*)\cmd.exe(.*) http://127.0.0.1
RedirectMatch (.*)\root.exe(.*) http://127.0.0.1
RedirectMatch (.*)\default.ida(.*) http://127.0.0.1
Now, this doesn't give them a 404 it gives a 302. And sends the worms back to
the localhost. :) Some of these worms are use blocking threads. Eventually,
you force the host into a 'self-inflicted' DOS. They stop beating on you, and
everyone else after a while.... (Some kind soul shared that on the incidents
list a while back...)
More information about the Snort-users