Snort mailing list archives
Re: commenting out rules?
From: Colin Wu <wucolin () mcmaster ca>
Date: Mon, 18 Jun 2001 11:29:31 -0400
A couple of possibilities come to mind: 1. There are actually two rules in web-misc.rules that match "directory traveral", one unix flavour and one MS-DOS flavour. Did you comment out both? 2. You're commenting out the rules in the wrong file. Is the file you're editing actually the file snort is using? BTW, I hate losing information and commenting out a rule is losing information. If someone does attack you and http directory traversal is involved in the attack you'll never know if you don't at least log the traffic. What I tend to do is change the 'alert' action to 'log' for any rules I think are generating too many false positives. That way if I do need to see who's doing what at a later date I still have the packet in the logs. My $0.02. "Sheahan, Paul (PCLN-NW)" wrote:
I am seeing a ton of "http directory traversals" appear in my snort logs which I have determined to be normal in my environment. So I commented out this rule in web-misc.rules. Then I killed and re-ran Snort. But it is still appearing in my alert log. I tried removing the line from web-misc.rules all together just be sure, and it still keeps appearing in the logs as a possible attack. What am I missing? How do I get Snort to stop checking for this attack and others like it? Thanks! Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- __ _ _ Network Analyst / ) // ' ) / Computing & Information Services / __|/ o ____ / / / . . McMaster University (__/ (_) \_<_/ / <_ (_(_/ (_/_ (905)525-9140 ext 24050 http://netman.McMaster.CA _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- commenting out rules? Sheahan, Paul (PCLN-NW) (Jun 16)
- Re: commenting out rules? Grant Parkinson (Jun 16)
- Re: commenting out rules? Colin Wu (Jun 18)