Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BLACKLIST URI Request Rules

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 3 Aug 2011 14:46:45 -0400
As most of the VRT is currently heading towards Vegas, and I happen to have Internet on my flight....

Yes, we are interested in receiving false positives for ANY rule. Including the blacklist ones. 

These rules are what we call " indicators of compromise", the machine that is causing the alert may not be incited, but 
it certainly is exhibiting the behavior of a compromised machine. 

Please send us what SIDS are alerting, a pcap if possible would help. 

On the bottom of snort.org, in the black section, you will find a link that says "submit a false positive" note, you 
must be logged in first. 

Please use this form as it processes directly into our bug cue and we can get to it. 

Thanks. 

-- 
Sent from my iPad
Please excuse the brevity

On Aug 3, 2011, at 12:29 PM, Chris Granger <chrisgrangerx () gmail com> wrote:


Hi VRT,

We're noticing that many of these rules released yesterday seem to be generating a high number of false positives 
and/or the URIs may be pre-compromise indicators. I read your blog posting re how these rules are developed 
http://vrt-blog.snort.org/2011/02/blacklistrules-clamav-and-data-mining.html

I am curious about what efforts are made to separate potential benign or pre-compromise indicators from the evil 
and/or post-compromise. Also, is there any interest in receiving reports on potential false positive caused by 
particular hosts/domains to add these to the rules as negated content matches?

Thanks,

Chris

Sent from my iPhone
------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: