Snort mailing list archives
RE: Looking for opinions...
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Mon, 28 Apr 2003 12:26:16 -0400
Instead of disabling some of the alerts, why don't you change them to log only? If you familiar with IIS (which it seems you are), then you know that an IIS vulnerability that is patched today could re-surface tomorrow in a slightly different form, and I've seen "old" Snort sigs catch new vulnerabilities. If this happens and you don't have a sig specific to the new vulnerability, Snort would still log the attack, and give you a record in case your system is compromised. My two cents... -----Original Message----- From: Wilcoxen, Scott [mailto:SWilcoxen () macf com] Sent: Monday, April 28, 2003 11:53 AM To: Snort-users () lists sourceforge net Subject: [Snort-users] Looking for opinions... Hi all! I was looking for some opinions on something here. I've recently set up Snort here in my office. Everything is running great, but I'm not sure how to proceed on something. Alerts which are being generated for known vulnerabilities in IIS, SMB, etc. which I know for a fact I'm patched for are overrunning my alert logs. I'm logging all traffic to tcpdump binaries, so if I ever really needed to dig through this info I could. So, in order to keep the number of alerts to a manageable level I was considering disabling the rules for which I am already patched. Any thoughts on this? Scott S Wilcoxen Macfadden & Associates, Inc. Email: Swilcoxen at macf dot com www.macf.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Looking for opinions... Wilcoxen, Scott (Apr 28)
- <Possible follow-ups>
- RE: Looking for opinions... L. Christopher Luther (Apr 28)