[Snort-users] 1:17239 False Positive

waldo kitty wkitty42 at ...14940...
Tue Oct 12 15:57:49 EDT 2010

On 10/12/2010 15:42, Joel Esler wrote:
> Right, that's the general rule of thumb, however, this rule was updated in today's rulepack.
> Joel
> On Oct 12, 2010, at 12:21 PM, Christopher A. Libby wrote:
>> My initial guess would be disable this rule if you aren't using the product  [...]

"the general rule of thumb" depends on which side of the fence one is standing 
and operating on...

on my side of the fence, if there is some bad traffic, i want to know about 
it... just because i'm not using a particular product doesn't mean that i'm 
willing to let that abusive traffic and those abusive IPs access my 
network(s)... if some IP is beating on my network with traffic attempting to 
compromise a package that i'm not running, they are obviously up to no good and 
they are quite unwelcome in my network(s)... as such they are unceremoniously 
blocked with all due prejudice available...

this is especially true with web-base traffic... just because i'm not running a 
CMS doesn't mean that i'm going to allow my server(s) and application(s) be beat 
on with traffic that is attempting to violate any CMS product... why should i 
allow all that traffic on my network(s)? why should i subject my server(s) and 
app(s) to that kind of beating? thank but no thanks...

just a view from the other side of the fence 8)

More information about the Snort-users mailing list