[Snort-users] Using Snort & DB to remove false alarms

Jason Haar Jason.Haar at ...294...
Tue Apr 6 16:32:03 EDT 2004


On Wed, 2004-04-07 at 03:51, Kreimendahl, Chad J wrote:
> Maybe a better idea for this would be to use tagging of some sort and
> have another rule that if it matches 404 on the first return packet...
> does not alert.   The problem with this is that you'd not be able to

I think this is an excellent idea - but it's a wheel that shouldn't be
re-invented.

Nessus had exactly this issue to contend with, so all that can be stolen
should be from it to do it right.

e.g. Don't expect a "404" error. A lot of people put up "error pages" to
be returned when a bad page is asked for. IIS (can) returns them as
"200" instead of "40x"... Don't ask me why... Anyway, Nessus has code to
work around those kinds of monstrosities.


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list