Snort mailing list archives
Re: Proxy Servers generating false positives
From: "Chan, Wilson" <wchan () honolulu gov>
Date: Fri, 30 Oct 2009 17:38:25 -1000
Bpf'ing the proxy servers would be the extreme. Would I be better off disabling the rules or creating thresholds for the websites that are false positives. One site that triggered an alarm was source from our proxy server to cnn.com's website. Wilson ----- Original Message ----- From: Jason Haar <Jason.Haar () trimble co nz> To: snort-users () lists sourceforge net <snort-users () lists sourceforge net> Sent: Fri Oct 30 16:48:56 2009 Subject: Re: [Snort-users] Proxy Servers generating false positives On 10/31/2009 10:57 AM, Jefferson, Shawn wrote:
Well, I could see straight off the bat that you would be possibly giving up detection on attack responses and malware that is proxy-aware.
Indeed, I can assert that snort picks up tonnes of malware via our proxies. What makes the original poster so sure snort is triggering false positives? (to such an extent that you'd contemplate BPF filtering out proxy traffic instead of turning off a few FP rules) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.38/2467 - Release Date: 10/30/09 15:18:00 ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Proxy Servers generating false positives Chan, Wilson (Oct 30)
- Re: Proxy Servers generating false positives Jefferson, Shawn (Oct 30)
- Re: Proxy Servers generating false positives Jason Haar (Oct 30)
- Re: Proxy Servers generating false positives Brandon Harms (Oct 31)
- Re: Proxy Servers generating false positives Nigel Houghton (Oct 31)
- Re: Proxy Servers generating false positives Brandon Harms (Nov 02)
- Re: Proxy Servers generating false positives Jason Haar (Oct 30)
- Re: Proxy Servers generating false positives Jefferson, Shawn (Oct 30)
- <Possible follow-ups>
- Re: Proxy Servers generating false positives Chan, Wilson (Oct 30)
- Re: Proxy Servers generating false positives Chan, Wilson (Oct 30)
- Re: Proxy Servers generating false positives Jason Haar (Oct 30)