Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BLACKLIST URI Request Rules

From: Chris Granger <chrisgrangerx () gmail com>
Date: Wed, 3 Aug 2011 19:01:10 +0000
Much appreciated, Joel, will do - enjoy BH! Wish I was headed there too ;)

On Wed, Aug 3, 2011 at 6:46 PM, Joel Esler <jesler () sourcefire com> wrote:


As most of the VRT is currently heading towards Vegas, and I happen to have
Internet on my flight....

Yes, we are interested in receiving false positives for ANY rule. Including
the blacklist ones.

These rules are what we call " indicators of compromise", the machine that
is causing the alert may not be incited, but it certainly is exhibiting the
behavior of a compromised machine.

Please send us what SIDS are alerting, a pcap if possible would help.

On the bottom of snort.org, in the black section, you will find a link
that says "submit a false positive" note, you must be logged in first.

Please use this form as it processes directly into our bug cue and we can
get to it.

Thanks.

--
Sent from my iPad
Please excuse the brevity

On Aug 3, 2011, at 12:29 PM, Chris Granger <chrisgrangerx () gmail com>
wrote:


Hi VRT,

We're noticing that many of these rules released yesterday seem to be

generating a high number of false positives and/or the URIs may be
pre-compromise indicators. I read your blog posting re how these rules are
developed
http://vrt-blog.snort.org/2011/02/blacklistrules-clamav-and-data-mining.html


I am curious about what efforts are made to separate potential benign or

pre-compromise indicators from the evil and/or post-compromise. Also, is
there any interest in receiving reports on potential false positive caused
by particular hosts/domains to add these to the rules as negated content
matches?


Thanks,

Chris

Sent from my iPhone


------------------------------------------------------------------------------

BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org



------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: