[Snort-users] 3 questions on rules

Garrett.Allen at ...8966... Garrett.Allen at ...8966...
Thu May 15 09:39:08 EDT 2003


making haste slowly with snort.  getting tons (u.s., not metric) of alerts.
so trying to winnow out the chaff.
presently have a snort 2.0.0 (build 72) install running on a rh 8 linux
distribution, upgraded from snort 1.9.1.

1. looking at the snort signature db i see that for sid 2102, netbios smb
smb_com_transaction max data count of 0 dos attempt, the summary section
states "this rule has been deprecated due to an inordinately large number of
false positives."  in the netbios.rules, however, i see still see the rule
so either 1. i have the wrong rules or 2. i should remove it as it is
deprecated and generating a lot of unneeded alarms.  i haven't approached
rule writing so is there a good howto available if i need to go this route
(or is it as simple as deleting the appropriate lines).

2. is there a way to determine the version of rules that are in use.  i
checked a couple of files and didn't see anything that would indicate a
version.

3. i checked the snort signature database but did not see an explanation for
p2p gnutella get.  it has a low severity but again i get tons of them.  any
help on understanding this would be appreciated.

thanks in advance for your reply.





More information about the Snort-users mailing list