Snort mailing list archives
BLACKLIST URI Request Rules
From: Chris Granger <chrisgrangerx () gmail com>
Date: Wed, 3 Aug 2011 12:29:01 -0400
Hi VRT, We're noticing that many of these rules released yesterday seem to be generating a high number of false positives and/or the URIs may be pre-compromise indicators. I read your blog posting re how these rules are developed http://vrt-blog.snort.org/2011/02/blacklistrules-clamav-and-data-mining.html I am curious about what efforts are made to separate potential benign or pre-compromise indicators from the evil and/or post-compromise. Also, is there any interest in receiving reports on potential false positive caused by particular hosts/domains to add these to the rules as negated content matches? Thanks, Chris Sent from my iPhone ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- BLACKLIST URI Request Rules Chris Granger (Aug 03)
- Re: BLACKLIST URI Request Rules Adam Gardner (Aug 03)
- Re: BLACKLIST URI Request Rules Joel Esler (Aug 03)
- Re: BLACKLIST URI Request Rules Chris Granger (Aug 03)