| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] False Positives on 1:17246
From: Nigel Houghton <nhoughton_at_nospam>Date: Thu Oct 14 2010 - 15:13:12 GMT
To: Josh Little <josh@zombietango.com>
Discussion about rules normally takes place on snort-sigs, so you guys
probably aren't following the discussion on this rule over there.
In short, the current revision of the rule is 3 and it is now in
deleted.rules.
The rule will appear in the deleted.rules for registered users when
they can download the rules released on October 5th. In the meantime,
might as well move it there yourselves.
On Thu, 14 Oct 2010 10:12:16 -0400, Josh Little wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 10/14/2010 9:54 AM, Christopher A. Libby wrote:
>> Looks like there are a lot of false positives being generated on
> SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion
> attempt. I haven't had time to review the rule itself to see if I can
> figure out what the issue is exactly - I can supply data if needed.
>>
>> Also - does anyone have a script that could extract the full details of
> the even from the Snorby database? I have a hard time providing data
> using the web-based export methods, as it doesn't contain all the
> information. Thanks!
>>
>
> I'll second the large amounts of "false positives" on that signature.
> I came in today to several hundred alerts for 17246. The signature src
> addresses are fairly random (banking site, diet site, several ad
> servers, etc) and all are from web traffic (tcp/80).
>
> Josh Little
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iF4EAREIAAYFAky3D70ACgkQMRelb3QdcMdRwgD8Cu5ht9XPvwLACcCxRzLhPw42
> AT7DadWHug9oOn/MQ6wA/0MMoOMCEO3A4Q0133V9kkU8tpn7fBNV4ZQxr8ZKDRol
> =vdKL
> -----END PGP SIGNATURE-----
>
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
> Spend less time writing and rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-sourcefire.blogspot.com && http://labs.snort.org/ ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users