[Snort-users] 1:17239 False Positive
jesler at ...1935...
Tue Oct 12 16:11:02 EDT 2010
On Oct 12, 2010, at 3:57 PM, waldo kitty wrote:
> On 10/12/2010 15:42, Joel Esler wrote:
>> Right, that's the general rule of thumb, however, this rule was updated in today's rulepack.
>> On Oct 12, 2010, at 12:21 PM, Christopher A. Libby wrote:
>>> My initial guess would be disable this rule if you aren't using the product [...]
> "the general rule of thumb" depends on which side of the fence one is standing
> and operating on...
> on my side of the fence, if there is some bad traffic, i want to know about
> it... just because i'm not using a particular product doesn't mean that i'm
> willing to let that abusive traffic and those abusive IPs access my
> network(s)... if some IP is beating on my network with traffic attempting to
> compromise a package that i'm not running, they are obviously up to no good and
> they are quite unwelcome in my network(s)... as such they are unceremoniously
> blocked with all due prejudice available...
> this is especially true with web-base traffic... just because i'm not running a
> CMS doesn't mean that i'm going to allow my server(s) and application(s) be beat
> on with traffic that is attempting to violate any CMS product... why should i
> allow all that traffic on my network(s)? why should i subject my server(s) and
> app(s) to that kind of beating? thank but no thanks...
That's certainly one way of looking at it, and depending on the environment, I agree that might be interesting. But for people who are just trying to understand the alerts in their environment, turning off rules for software they don't run may be a viable tuning step.
More information about the Snort-users