[Snort-users] 3 questions on rules
bmc at ...950...
Thu May 15 13:44:07 EDT 2003
On Thu, May 15, 2003 at 01:44:16PM -0400, Erek Adams wrote:
> On Thu, 15 May 2003 Garrett.Allen at ...8966... wrote:
> > 1. looking at the snort signature db i see that for sid 2102, netbios smb
> > smb_com_transaction max data count of 0 dos attempt, the summary section
> > states "this rule has been deprecated due to an inordinately large number of
> > false positives." in the netbios.rules, however, i see still see the rule
> > so either 1. i have the wrong rules or 2. i should remove it as it is
> > deprecated and generating a lot of unneeded alarms. i haven't approached
> > rule writing so is there a good howto available if i need to go this route
> > (or is it as simple as deleting the appropriate lines).
> You don't have the wrong rules. That rule is enabled in the default
> ruleset. Yes, it does say 'deprecated', but I don't know if it should be
> removed or what. That would be one for our Benevolent Rule Nazi, Brian.
It has been deprecated. You need to update your ruleset. If you
track our rule changes, you would see that one of the changes I made
was to move it to deleted.rules.
max data count of 0 happens quite a bit on real networks.
More information about the Snort-users