[Snort-users] 1:17239 False Positive
wkitty42 at ...14940...
Tue Oct 12 15:57:49 EDT 2010
On 10/12/2010 15:42, Joel Esler wrote:
> Right, that's the general rule of thumb, however, this rule was updated in today's rulepack.
> On Oct 12, 2010, at 12:21 PM, Christopher A. Libby wrote:
>> My initial guess would be disable this rule if you aren't using the product [...]
"the general rule of thumb" depends on which side of the fence one is standing
and operating on...
on my side of the fence, if there is some bad traffic, i want to know about
it... just because i'm not using a particular product doesn't mean that i'm
willing to let that abusive traffic and those abusive IPs access my
network(s)... if some IP is beating on my network with traffic attempting to
compromise a package that i'm not running, they are obviously up to no good and
they are quite unwelcome in my network(s)... as such they are unceremoniously
blocked with all due prejudice available...
this is especially true with web-base traffic... just because i'm not running a
CMS doesn't mean that i'm going to allow my server(s) and application(s) be beat
on with traffic that is attempting to violate any CMS product... why should i
allow all that traffic on my network(s)? why should i subject my server(s) and
app(s) to that kind of beating? thank but no thanks...
just a view from the other side of the fence 8)
More information about the Snort-users