[Snort-users] 3 questions on rules

Brian bmc at ...950...
Thu May 15 13:44:07 EDT 2003


On Thu, May 15, 2003 at 01:44:16PM -0400, Erek Adams wrote:
> On Thu, 15 May 2003 Garrett.Allen at ...8966... wrote:
> > 1. looking at the snort signature db i see that for sid 2102, netbios smb
> > smb_com_transaction max data count of 0 dos attempt, the summary section
> > states "this rule has been deprecated due to an inordinately large number of
> > false positives."  in the netbios.rules, however, i see still see the rule
> > so either 1. i have the wrong rules or 2. i should remove it as it is
> > deprecated and generating a lot of unneeded alarms.  i haven't approached
> > rule writing so is there a good howto available if i need to go this route
> > (or is it as simple as deleting the appropriate lines).
> 
> You don't have the wrong rules.  That rule is enabled in the default
> ruleset.  Yes, it does say 'deprecated', but I don't know if it should be
> removed or what.  That would be one for our Benevolent Rule Nazi, Brian.
> :)

It has been deprecated.  You need to update your ruleset.  If you
track our rule changes, you would see that one of the changes I made
was to move it to deleted.rules.

max data count of 0 happens quite a bit on real networks. 

-brian




More information about the Snort-users mailing list