Snort mailing list archives
Re: BLACKLIST URI Request Rules
From: Chris Granger <chrisgrangerx () gmail com>
Date: Wed, 3 Aug 2011 19:01:10 +0000
Much appreciated, Joel, will do - enjoy BH! Wish I was headed there too ;) On Wed, Aug 3, 2011 at 6:46 PM, Joel Esler <jesler () sourcefire com> wrote:
As most of the VRT is currently heading towards Vegas, and I happen to have Internet on my flight.... Yes, we are interested in receiving false positives for ANY rule. Including the blacklist ones. These rules are what we call " indicators of compromise", the machine that is causing the alert may not be incited, but it certainly is exhibiting the behavior of a compromised machine. Please send us what SIDS are alerting, a pcap if possible would help. On the bottom of snort.org, in the black section, you will find a link that says "submit a false positive" note, you must be logged in first. Please use this form as it processes directly into our bug cue and we can get to it. Thanks. -- Sent from my iPad Please excuse the brevity On Aug 3, 2011, at 12:29 PM, Chris Granger <chrisgrangerx () gmail com> wrote:Hi VRT, We're noticing that many of these rules released yesterday seem to begenerating a high number of false positives and/or the URIs may be pre-compromise indicators. I read your blog posting re how these rules are developed http://vrt-blog.snort.org/2011/02/blacklistrules-clamav-and-data-mining.htmlI am curious about what efforts are made to separate potential benign orpre-compromise indicators from the evil and/or post-compromise. Also, is there any interest in receiving reports on potential false positive caused by particular hosts/domains to add these to the rules as negated content matches?Thanks, Chris Sent from my iPhone------------------------------------------------------------------------------BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- BLACKLIST URI Request Rules Chris Granger (Aug 03)
- Re: BLACKLIST URI Request Rules Adam Gardner (Aug 03)
- Re: BLACKLIST URI Request Rules Joel Esler (Aug 03)
- Re: BLACKLIST URI Request Rules Chris Granger (Aug 03)