[Snort-users] Using Snort & DB to remove false alarms

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Wed Apr 7 08:06:03 EDT 2004

A return page on a FILE_NOT_FOUND (404) also returns the 404 code in the
header, along with the page. 

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...294...] 
Sent: Tuesday, April 06, 2004 6:32 PM
To: Snort Users
Subject: RE: [Snort-users] Using Snort & DB to remove false alarms

On Wed, 2004-04-07 at 03:51, Kreimendahl, Chad J wrote:
> Maybe a better idea for this would be to use tagging of some sort and
> have another rule that if it matches 404 on the first return packet...
> does not alert.   The problem with this is that you'd not be able to

I think this is an excellent idea - but it's a wheel that shouldn't be

Nessus had exactly this issue to contend with, so all that can be stolen
should be from it to do it right.

e.g. Don't expect a "404" error. A lot of people put up "error pages" to
be returned when a bad page is asked for. IIS (can) returns them as
"200" instead of "40x"... Don't ask me why... Anyway, Nessus has code to
work around those kinds of monstrosities.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list