[Snort-users] Configuring False positives

Erek Adams erek at ...577...
Fri Nov 23 11:54:02 EST 2001

On Fri, 23 Nov 2001, Tom Sevy wrote:

> I have found that when I do this, then another rule catches it and
> alerts.....

Right!  ;-)  That's part of the fun, the easter egg hunt in the rules!  You'll
have 2 or 3 IIRC you want to 'disable'.  Now, disabling is the rules are nice,
but there's something else you can do....

If you have Apache, setup something like this:

# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
RedirectMatch (.*)\cmd.exe(.*)
RedirectMatch (.*)\root.exe(.*)
RedirectMatch (.*)\default.ida(.*)

Now, this doesn't give them a 404 it gives a 302.  And sends the worms back to
the localhost.  :)  Some of these worms are use blocking threads.  Eventually,
you force the host into a 'self-inflicted' DOS.  They stop beating on you, and
everyone else after a while....  (Some kind soul shared that on the incidents
list a while back...)


Erek Adams

More information about the Snort-users mailing list