Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort Blog: Reporting False Positives with Snort.org

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 22 Nov 2016 16:06:41 +0000


http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html

Reporting False Positives with Snort.org<http://Snort.org>
Some users may not be aware, but you've been able to report false positives on Snort.org<http://Snort.org> for years.  
I say that users may not be aware, because quite unintentionally, the feature wasn't very easy to find.

With today's rollout of version 5.1.1 of Snort.org<http://Snort.org>, hopefully, we've fixed that.

When visiting Snort.org<http://Snort.org>, upon logging in:

[cid:A05A2922-31CC-4688-8B26-7636B3B2C0A9@vrt.sourcefire.com]<http://3.bp.blogspot.com/-L1V6hKiWIWU/WDRoorYiJGI/AAAAAAAAA7Y/E-3VvrH16M86fSLO92z72fkj2r4S9LCIwCK4B/s1600/homepage.png>


then clicking on your email in the same section after logging in, you will be taken to your User Preferences and 
information screen.

On the left side of the screen, you will see the different sections in your user account:

[cid:CC610845-739D-41C8-8326-D57B7782C5A1@vrt.sourcefire.com]<http://1.bp.blogspot.com/-kx0fMjX8C-A/WDRpBdUF4GI/AAAAAAAAA7g/ZZ5El814SdgQ-V2-Au-XgE1snjCK4wn6QCK4B/s1600/preferences.png>


Including a new link at the bottom of the list for "False Positive".

[cid:E67A2169-04E1-4F6B-93C5-E225B26F5F27@vrt.sourcefire.com]<http://2.bp.blogspot.com/-hQH0MsesgN4/WDRq4br6wfI/AAAAAAAAA7s/f8zaK7ilr14CUf-esy7xATyHlrYbQf2JwCK4B/s1600/fp.png>


The screen looks like this:

[cid:3C6F1CCC-D724-41AE-90D4-667732B80B62@vrt.sourcefire.com]<http://3.bp.blogspot.com/-Acd2PoO6t9M/WDRrDWXDo1I/AAAAAAAAA70/zdhCpb-0kZkaQ91NGlXTjfaUS01ozJQLACK4B/s1600/fp.png>


When you fill out this form and click submit, the pcap and description will enter directly into our analyst's queue for 
work, allowing us to process false positives quickly.


In a future version of the Snort site, we are going to tie this feature directly into, what we call, the "Analyst 
Console", here at Talos.  Allowing you to see the status of your false positive, as it is flowing through our system, 
automatically.  Allowing you to see when the rule will be fixed, and when it was released.


In the meantime, please use this system for your FP reports, help us improve the feature!


--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>








------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: