[Dshield] Rating Attackers

Johannes Ullrich jullrich at sans.org
Fri Aug 2 11:38:30 GMT 2002

> Not to pick, but that web page sets off snort, big time. Freaked the
> sh*t out of me until I figured what was going on, since I first saw
> the alert out on my firewall box, and the destination port says that
> the packet contents were getting through into one of my interior
> boxes...

the art of tuning snort rules. Look at the newer version of snort that
can actually filter by the 'direction' of the packet. We get this a lot
for incidents.org, as there are tons of pages with 'signatures' on them.

jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org

More information about the list mailing list