Snort mailing list archives
Re: Trying to understand file.exe flowbit
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 11 Jan 2013 15:49:05 -0500
On Jan 11, 2013, at 2:25 PM, Bobby Hinzman <rhinzm826 () gmail com> wrote:
Hello, I'm currently running Snort 2.9.3.1 with Pulledpork to manage rules, have an active Subscriber subscription to VRT rules, and am running a 'balanced' policy with a number of rules enabled and disabled in PP. My problem is that currently sid 15306 is about 43% of my total generated alerts and I'd like to turn it off. However, 15306 sets the file.exe flowbit. Looking through the rules I noticed a number of other sids also set file.exe (including 11192, 16313, 16425, 21908, 21909, and 23725 but I may have missed a few others). If any of those other rules set file.exe do I still need 15306 to be enabled for all of the rules that check for the file.exe flowbit?
Bobby, I'd suggest leaving it enabled. You can suppress the events, I believe you will find what you are looking for here: http://manual.snort.org/node206.html -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Trying to understand file.exe flowbit Bobby Hinzman (Jan 11)
- Re: Trying to understand file.exe flowbit Joel Esler (Jan 11)