Snort mailing list archives

Re: Question regarding a rule

From: Charlie Egan <chas5873 () gmail com>
Date: Wed, 25 Jun 2014 13:10:25 +0100

Hi James,

Sorry a bit new to all of this - is a pcap file just a saved Wireshark file
so you can have a look at all of the packets?

Cheers


On Wed, Jun 25, 2014 at 12:39 PM, James Lay <jlay () slave-tothe-box net>
wrote:

 On Tue, 2014-06-24 at 21:36 +0100, Charlie Egan wrote:

Nope none whatsoever other than specifying my $HOME_NET ip. I assumed they
may be false positives, but I'm only downloading one torrent file to my
desktop when I run the test, so it doesn't make sense to me why 25 odd
alerts are popping up. The content of the rule is at the beginning of the
hex dump of the metafile, and |38 64 61| certainly doesn't pop up again
within the file.

 Do you have any idea what could be causing false positives?

Cheers


If you'd like to share a pcap of the file off list I'll take a look at
that and the current rule you're trying.

James


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: Question regarding a rule, (continued)
- - - Re: Question regarding a rule Charlie Egan (Jun 24)
    - Re: Question regarding a rule James Lay (Jun 24)
    - Re: Question regarding a rule Charlie Egan (Jun 24)
    - Re: Question regarding a rule James Lay (Jun 24)
    - Re: Question regarding a rule Charlie Egan (Jun 24)
    - Re: Question regarding a rule Y M (Jun 24)
    - Re: Question regarding a rule Charlie Egan (Jun 24)
    - Re: Question regarding a rule rmkml (Jun 24)
    - Re: Question regarding a rule Charlie Egan (Jun 24)
    - Re: Question regarding a rule James Lay (Jun 25)
    - Re: Question regarding a rule Charlie Egan (Jun 25)
    - Re: Question regarding a rule James Lay (Jun 25)
    - Re: Question regarding a rule Charlie Egan (Jun 25)
    - Message not available
    - Re: Question regarding a rule Charlie Egan (Jun 26)
    - Re: Question regarding a rule James Lay (Jun 26)
    - Re: Question regarding a rule Charlie Egan (Jun 26)