[Snort-users] Using Snort & DB to remove false alarms

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Wed Apr 7 08:06:03 EDT 2004


A return page on a FILE_NOT_FOUND (404) also returns the 404 code in the
header, along with the page. 

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...294...] 
Sent: Tuesday, April 06, 2004 6:32 PM
To: Snort Users
Subject: RE: [Snort-users] Using Snort & DB to remove false alarms

On Wed, 2004-04-07 at 03:51, Kreimendahl, Chad J wrote:
> Maybe a better idea for this would be to use tagging of some sort and
> have another rule that if it matches 404 on the first return packet...
> does not alert.   The problem with this is that you'd not be able to

I think this is an excellent idea - but it's a wheel that shouldn't be
re-invented.

Nessus had exactly this issue to contend with, so all that can be stolen
should be from it to do it right.

e.g. Don't expect a "404" error. A lot of people put up "error pages" to
be returned when a bad page is asked for. IIS (can) returns them as
"200" instead of "40x"... Don't ask me why... Anyway, Nessus has code to
work around those kinds of monstrosities.


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list