RE: Looking for opinions...

["L. Christopher Luther" <CLuther () Xybernaut com>]

Instead of disabling some of the alerts, why don't you change them to log
only?  If you familiar with IIS (which it seems you are), then you know that
an IIS vulnerability that is patched today could re-surface tomorrow in a
slightly different form, and I've seen "old" Snort sigs catch new
vulnerabilities.  If this happens and you don't have a sig specific to the
new vulnerability, Snort would still log the attack, and give you a record
in case your system is compromised.  

My two cents... 

-----Original Message-----
From: Wilcoxen, Scott [mailto:SWilcoxen () macf com]
Sent: Monday, April 28, 2003 11:53 AM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Looking for opinions...


Hi all!  I was looking for some opinions on something here.  I've recently
set up Snort here in my office.  Everything is running great, but I'm not
sure how to proceed on something.  Alerts which are being generated for
known vulnerabilities in IIS, SMB, etc. which I know for a fact I'm patched
for are overrunning my alert logs.  I'm logging all traffic to tcpdump
binaries, so if I ever really needed to dig through this info I could.  So,
in order to keep the number of alerts to a manageable level I was
considering disabling the rules for which I am already patched.  Any
thoughts on this?
 
 
 
Scott S Wilcoxen
Macfadden & Associates, Inc.
Email: Swilcoxen at macf dot com 
www.macf.com
 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users