Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: signature true positive or not

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 24 Jan 2012 11:17:45 -0500
The VRT can tell you if the alert that you receive matches the research
that we have done about the vulnerability.

If the rule alerts.

J

On Tue, Jan 24, 2012 at 10:50 AM, JJC <cummingsj () gmail com> wrote:


Beyond that, as was mentioned earlier, we cannot possibly tell you if it
was a true positive or a false positive in your environment.  Often even if
you provide a PCAP.  Sure, with a PCAP we could probably say.. this was a
legitimate attack, but if the target system is not vulnerable....  There
are a number of factors that YOU as the analyst must be able to answer and
work your way through to determine this.

JJC


On Tue, Jan 24, 2012 at 6:31 AM, Kevin Ross <kevross33 () googlemail com>wrote:


Oh right. Well it is just that when VRT release their rulesets they will
tell you whether or not by default it is enabled or disabled. If it is a
rule you would like to run you have to enable it yourself (using
pulledpork) and vice versa for disabling any enabled by default rules you
don't need. In contrast the emergingthreats.net rules are largely
distributed entirely enabled unless it is a performance/false positive
concern and it is up to you to disable them as needed.

Kind Regards,
Kevin Ross

On 24 January 2012 09:50, Yossi <yasayag () gmail com> wrote:


 I just wanted to understand the meaning of "Default rule state" =
DISABLED.
Should I disabled the rule from the rule files, or the rule hasn't been
updated.

yossi


On 01/24/2012 11:33 AM, Kevin Ross wrote:

I am not sure exactly what you mean but I will make a few guesses and
hope I answer your question:

1) If you mean about it saying it is disabled in the rule update that
means by default it is disabled and it is up to you whether or not you want
to enable it.
2) If you did enable it and you got a hit we won't be able to determine
if it was a true positive (when it really is an attack) or a false negative
(when the sig fires but the traffic isn't an attack) unless you provide a
packet.

Kind Regards,
Kevin Ross


On 24 January 2012 09:11, Yossi <yasayag () gmail com> wrote:


 Can someone explain the meaning of the the content which I'd found on
the VRT site  .

 Sourcefire VRT Rules Update
Date: 2011-12-28

This is the complete list of rules modified and added in the Sourcefire
VRT Certified rule pack for Snort version 2.9.1.0.

The format of the file is:

*gid:sid <-> Default rule state <-> Message (rule group)*
New Rules:

 * 1:20821 <-> DISABLED <-> EXPLOIT Apache APR header memory corruption attempt (exploit.rules)



 Is the signature 20821 (EXPLOIT Apache APR header memory corruption
attempt) true positive and should be disabled or not?

Thanks


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!








------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: