[Snort-users] Using Snort & DB to remove false alarms

Jason Haar Jason.Haar at ...294...
Tue Apr 6 16:32:03 EDT 2004

On Wed, 2004-04-07 at 03:51, Kreimendahl, Chad J wrote:
> Maybe a better idea for this would be to use tagging of some sort and
> have another rule that if it matches 404 on the first return packet...
> does not alert.   The problem with this is that you'd not be able to

I think this is an excellent idea - but it's a wheel that shouldn't be

Nessus had exactly this issue to contend with, so all that can be stolen
should be from it to do it right.

e.g. Don't expect a "404" error. A lot of people put up "error pages" to
be returned when a bad page is asked for. IIS (can) returns them as
"200" instead of "40x"... Don't ask me why... Anyway, Nessus has code to
work around those kinds of monstrosities.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list