[Snort-users] 1:17239 False Positive

Joel Esler jesler at ...1935...
Tue Oct 12 16:11:02 EDT 2010


On Oct 12, 2010, at 3:57 PM, waldo kitty wrote:
> On 10/12/2010 15:42, Joel Esler wrote:
>> Right, that's the general rule of thumb, however, this rule was updated in today's rulepack.
>> 
>> Joel
>> 
>> On Oct 12, 2010, at 12:21 PM, Christopher A. Libby wrote:
>> 
>>> My initial guess would be disable this rule if you aren't using the product  [...]
> 
> "the general rule of thumb" depends on which side of the fence one is standing 
> and operating on...
> 
> on my side of the fence, if there is some bad traffic, i want to know about 
> it... just because i'm not using a particular product doesn't mean that i'm 
> willing to let that abusive traffic and those abusive IPs access my 
> network(s)... if some IP is beating on my network with traffic attempting to 
> compromise a package that i'm not running, they are obviously up to no good and 
> they are quite unwelcome in my network(s)... as such they are unceremoniously 
> blocked with all due prejudice available...
> 
> this is especially true with web-base traffic... just because i'm not running a 
> CMS doesn't mean that i'm going to allow my server(s) and application(s) be beat 
> on with traffic that is attempting to violate any CMS product... why should i 
> allow all that traffic on my network(s)? why should i subject my server(s) and 
> app(s) to that kind of beating? thank but no thanks...


That's certainly one way of looking at it, and depending on the environment, I agree that might be interesting.  But for people who are just trying to understand the alerts in their environment, turning off rules for software they don't run may be a viable tuning step.

J

--
Joel Esler
302-223-5974





More information about the Snort-users mailing list