Re: [Fwsnort-discuss] avoid false positives
Brought to you by:
mbr
Menu
▾
▴
Re: [Fwsnort-discuss] avoid false positives
|
From: Quartexx <qua...@gm...> - 2007-11-27 20:42:33
|
2007/11/27, Michael Rash <mb...@ci...>: > > Then, I presume VRT rules from snort.org are probably safest than > > those from bleedingsnort. > > Yes, the VRT rules probably have a lower rate of false positives in > general than the pure bleedingsnort rules. > > The fwsnort translation of the VRT rules is not as good though because > there are several Snort rule keywords that fwsnort cannot translate > into iptables equivalents (flowbits, threshold, etc.). Could you post > the output of fwsnort against the latest VRT ruleset? I'm curious how > well fwsnort does against it. # VRT ruleset [+] Generated iptables rules for 853 out of 8564 signatures: 9.96% # bleedingsnort [+] Generated iptables rules for 6591 out of 8463 signatures: 77.88% I would say huge difference. The fact that fwsnort cannot translate such keywords is due to iptables string match extension limit? Thanks |