Home page logo
/

snort logo Snort mailing list archives

Re: False Positives on 1:17246
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Thu, 14 Oct 2010 11:13:12 -0400


Discussion about rules normally takes place on snort-sigs, so you guys 
probably aren't following the discussion on this rule over there.

In short, the current revision of the rule is 3 and it is now in 
deleted.rules.

The rule will appear in the deleted.rules for registered users when 
they can download the rules released on October 5th. In the meantime, 
might as well move it there yourselves.

On Thu, 14 Oct 2010 10:12:16 -0400, Josh Little wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
On 10/14/2010 9:54 AM, Christopher A. Libby wrote:
Looks like there are a lot of false positives being generated on
SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion
attempt. I haven't had time to review the rule itself to see if I can
figure out what the issue is exactly - I can supply data if needed.

Also - does anyone have a script that could extract the full details of
the even from the Snorby database? I have a hard time providing data
using the web-based export methods, as it doesn't contain all the
information. Thanks!


I'll second the large amounts of "false positives" on that signature.
I came in today to several hundred alerts for 17246. The signature src
addresses are fairly random (banking site, diet site, several ad
servers, etc) and all are from web traffic (tcp/80).

Josh Little
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iF4EAREIAAYFAky3D70ACgkQMRelb3QdcMdRwgD8Cu5ht9XPvwLACcCxRzLhPw42
AT7DadWHug9oOn/MQ6wA/0MMoOMCEO3A4Q0133V9kkU8tpn7fBNV4ZQxr8ZKDRol
=vdKL
-----END PGP SIGNATURE-----



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault