Snort mailing list archives
Re: BLACKLIST URI Request Rules
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 3 Aug 2011 14:46:45 -0400
As most of the VRT is currently heading towards Vegas, and I happen to have Internet on my flight.... Yes, we are interested in receiving false positives for ANY rule. Including the blacklist ones. These rules are what we call " indicators of compromise", the machine that is causing the alert may not be incited, but it certainly is exhibiting the behavior of a compromised machine. Please send us what SIDS are alerting, a pcap if possible would help. On the bottom of snort.org, in the black section, you will find a link that says "submit a false positive" note, you must be logged in first. Please use this form as it processes directly into our bug cue and we can get to it. Thanks. -- Sent from my iPad Please excuse the brevity On Aug 3, 2011, at 12:29 PM, Chris Granger <chrisgrangerx () gmail com> wrote:
Hi VRT, We're noticing that many of these rules released yesterday seem to be generating a high number of false positives and/or the URIs may be pre-compromise indicators. I read your blog posting re how these rules are developed http://vrt-blog.snort.org/2011/02/blacklistrules-clamav-and-data-mining.html I am curious about what efforts are made to separate potential benign or pre-compromise indicators from the evil and/or post-compromise. Also, is there any interest in receiving reports on potential false positive caused by particular hosts/domains to add these to the rules as negated content matches? Thanks, Chris Sent from my iPhone ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- BLACKLIST URI Request Rules Chris Granger (Aug 03)
- Re: BLACKLIST URI Request Rules Adam Gardner (Aug 03)
- Re: BLACKLIST URI Request Rules Joel Esler (Aug 03)
- Re: BLACKLIST URI Request Rules Chris Granger (Aug 03)