[Snort-users] Who looks after the rules?

Jason Haar Jason.Haar at ...294...
Wed Sep 26 21:16:06 EDT 2001


Is there someone to send bug reports to about the rules?

I've just started seeing false alerts on "X11 outgoing", and it's another
case of the rule being too generalised. It's looking for:

alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outgoing";
flags: SA; reference:arachnids,126; classtype:unknown; sid:1227; rev:1;)

when 

alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET 1024: (msg:"X11 outgoing";
flags: SA; reference:arachnids,126; classtype:unknown; sid:1227; rev:1;)

would be better.

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list