Snort mailing list archives

Previous By Date Next
Previous By Thread Next

BLACKLIST URI Request Rules

From: Chris Granger <chrisgrangerx () gmail com>
Date: Wed, 3 Aug 2011 12:29:01 -0400
Hi VRT,

We're noticing that many of these rules released yesterday seem to be generating a high number of false positives 
and/or the URIs may be pre-compromise indicators. I read your blog posting re how these rules are developed 
http://vrt-blog.snort.org/2011/02/blacklistrules-clamav-and-data-mining.html

I am curious about what efforts are made to separate potential benign or pre-compromise indicators from the evil and/or 
post-compromise. Also, is there any interest in receiving reports on potential false positive caused by particular 
hosts/domains to add these to the rules as negated content matches?

Thanks,

Chris

Sent from my iPhone
------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: