Re: signature true positive or not

[Kevin Ross <kevross33 () googlemail com>]

Oh right. Well it is just that when VRT release their rulesets they will
tell you whether or not by default it is enabled or disabled. If it is a
rule you would like to run you have to enable it yourself (using
pulledpork) and vice versa for disabling any enabled by default rules you
don't need. In contrast the emergingthreats.net rules are largely
distributed entirely enabled unless it is a performance/false positive
concern and it is up to you to disable them as needed.

Kind Regards,
Kevin Ross

On 24 January 2012 09:50, Yossi <yasayag () gmail com> wrote:

>  I just wanted to understand the meaning of "Default rule state" =
> DISABLED.
> Should I disabled the rule from the rule files, or the rule hasn't been
> updated.
>
> yossi
>
> On 01/24/2012 11:33 AM, Kevin Ross wrote:
>
> I am not sure exactly what you mean but I will make a few guesses and hope
> I answer your question:
>
> 1) If you mean about it saying it is disabled in the rule update that
> means by default it is disabled and it is up to you whether or not you want
> to enable it.
> 2) If you did enable it and you got a hit we won't be able to determine if
> it was a true positive (when it really is an attack) or a false negative
> (when the sig fires but the traffic isn't an attack) unless you provide a
> packet.
>
> Kind Regards,
> Kevin Ross
>
>
> On 24 January 2012 09:11, Yossi <yasayag () gmail com> wrote:
>
> >  Can someone explain the meaning of the the content which I'd found on
> > the VRT site  .
> >
> >  Sourcefire VRT Rules Update
> > Date: 2011-12-28
> >
> > This is the complete list of rules modified and added in the Sourcefire
> > VRT Certified rule pack for Snort version 2.9.1.0.
> >
> > The format of the file is:
> >
> > *gid:sid <-> Default rule state <-> Message (rule group)*
> > New Rules:
> >
> >  * 1:20821 <-> DISABLED <-> EXPLOIT Apache APR header memory corruption attempt (exploit.rules)
> >
> >
> >
> >  Is the signature 20821 (EXPLOIT Apache APR header memory corruption
> > attempt) true positive and should be disabled or not?
> >
> > Thanks
> >
> >
> > ------------------------------------------------------------------------------
> > Keep Your Developer Skills Current with LearnDevNow!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!