[Snort-users] Notes for Community rule 29456

Jeremy Hoel jthoel at ...11827...
Thu Jan 23 19:50:32 EST 2014


We had to add a few things to this rule to not alert on valid traffic.
I'm not sure if these should be in the rule, but they might help
someone else.

NetApps do pings to DC's with no data, so with James's help, we found
that dsize:>10; made those alerts go away.

DC's where talking to other DC's:
content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; depth:36;

And the "abcd...hi" was all upper case, and some devices send lower
case, so we added another !content with lowercase instead of using
'nocase' (to avoid maybe having something send via mixed case and get
by).




More information about the Snort-users mailing list