[Snort-users] Configuring False positives

Erek Adams erek at ...577...
Fri Nov 23 11:54:02 EST 2001


On Fri, 23 Nov 2001, Tom Sevy wrote:

> I have found that when I do this, then another rule catches it and
> alerts.....

Right!  ;-)  That's part of the fun, the easter egg hunt in the rules!  You'll
have 2 or 3 IIRC you want to 'disable'.  Now, disabling is the rules are nice,
but there's something else you can do....

If you have Apache, setup something like this:

# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
#
RedirectMatch (.*)\cmd.exe(.*) http://127.0.0.1
RedirectMatch (.*)\root.exe(.*) http://127.0.0.1
RedirectMatch (.*)\default.ida(.*) http://127.0.0.1

Now, this doesn't give them a 404 it gives a 302.  And sends the worms back to
the localhost.  :)  Some of these worms are use blocking threads.  Eventually,
you force the host into a 'self-inflicted' DOS.  They stop beating on you, and
everyone else after a while....  (Some kind soul shared that on the incidents
list a while back...)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list