[Snort-users] Using Snort & DB to remove false alarms
Jason.Haar at ...294...
Tue Apr 6 16:32:03 EDT 2004
On Wed, 2004-04-07 at 03:51, Kreimendahl, Chad J wrote:
> Maybe a better idea for this would be to use tagging of some sort and
> have another rule that if it matches 404 on the first return packet...
> does not alert. The problem with this is that you'd not be able to
I think this is an excellent idea - but it's a wheel that shouldn't be
Nessus had exactly this issue to contend with, so all that can be stolen
should be from it to do it right.
e.g. Don't expect a "404" error. A lot of people put up "error pages" to
be returned when a bad page is asked for. IIS (can) returns them as
"200" instead of "40x"... Don't ask me why... Anyway, Nessus has code to
work around those kinds of monstrosities.
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users