Snort mailing list archives
Re: False Positive on VRT 28039
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 27 Nov 2013 14:00:31 +0000
No, that wouldn’t be appropriate, since u.pw is still “.pw”. This is a case for suppression on your local instance if alerts to “u.pw” is allowed in your organization. -- Joel Esler AEGIS Intelligence Lead OpenSource Manager Vulnerability Research Team, Sourcefire On Nov 26, 2013, at 11:19 PM, Jeremy Hoel <jthoel () gmail com> wrote:
I was fiddling around with it trying to have it !content for u.pw, still working on that. The category is fine, I just wondered if there was a desire to filter the known site. On Tue, Nov 26, 2013 at 9:04 PM, Joel Esler (jesler) <jesler () cisco com> wrote:Maybe indicator-compromise is the wrong category. -- Joel Esler Intelligence Lead Open Source Manager Vulnerability Research TeamOn Nov 26, 2013, at 19:39, "Jeremy Hoel" <jthoel () gmail com> wrote: Rule is looking for .pw as indicator of compromise however upworthy bought u.pw as a URL shortener. Maybe modify the rule to exclude that domain? http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- False Positive on VRT 28039 Jeremy Hoel (Nov 26)
- Re: False Positive on VRT 28039 Joel Esler (jesler) (Nov 26)
- Re: False Positive on VRT 28039 Jeremy Hoel (Nov 26)
- Re: False Positive on VRT 28039 Joel Esler (jesler) (Nov 27)
- Re: False Positive on VRT 28039 Jeremy Hoel (Nov 26)
- Re: False Positive on VRT 28039 Joel Esler (jesler) (Nov 26)