Yes, I agree with this fully. However, the innevitable question remains,
how to remedy those in the future as well as how to test the sigs
reliably? Tools creating testcode from the signatures should consider
the situation we had to cope with. I am happy to say that my need on
signatures is between 80-150 so in the worst case one could delegate the
testing to an apprentice - but those are not always reliable as well ;)
Edin
Alex Kirk schrieb am 20.01.2005 19:45:
All,
Just to clarify this, I'm seeing different login data than what the rule
looks for in PCAPs from both Edin and my own testing. This may be caused
by a variety of reasons, from a difference in the client we're using vs.
what was used to create the rule, an update to the protocol, etc. This
does not necessarily mean that the current rule is always invalid, just
that there are some false negatives.
For all those who may be concerned about this rule, I've created a bug
internally, and the rule will be updated and/or a new rule will be added
as appropriate in the next rule pack after we determine what the
appropriate course of action is.
Alex Kirk
Research Analyst
Sourcefire, Inc.
...
--
Edin Dizdarevic
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
