[Oisf-users] Fw: Why so many rules disabled?
Francis Trudeau
ftrudeau at emergingthreats.net
Tue Jul 17 20:34:45 UTC 2018
This is more of a question for the ET list in the future:
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
The reason in this particular case is that the shellcode rules
are/were super FP (False Positive) prone. In some environments it may
be safe to turn them on but in most they'll FP. We leave them in the
set but commented out for anyone who wants to use them.
There's a few common reasons why we disable rules:
1. FPs, like the example above.
2. Old, irrelevant.
3. Bad performance.
Thanks,
Francis
On Mon, Jul 16, 2018 at 3:55 AM, <gatodiablo at protonmail.com> wrote:
>
>
> While testing suricata at wicar.org I noticed only some of the expolits were
> generating alerts. When I checked emerging-shellcode.rules I saw more than
> half the rules are disabled by default. Why?
>
>
> Sent from ProtonMail mobile
>
>
>
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list