Snort mailing list archives
False Positives
From: "Kent Freeman" <kfreeman () nexxtnet com>
Date: Wed, 28 Aug 2002 12:41:19 -0700
Greetings fellow Snorters; I have been experiencing a lot of false positives, and need a little help. The false positives are being generated by this "porn virgin" ruleset: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin"; content:"virgin"; nocase; flags:A+; classtype:kickass-porn; sid:1796; rev:1;) The problem is that whenever a packet with the word "Virginia" traverses my network, it is logged as an alert. What is the best method to prevent this? Add a rule to local.rules like this: pass tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any; content:"Virginia"; flags:A+; classtype:false-positive-porn; sid:1796; rev:1;) Is there a way to add a second content section to the existing rule? Does Snort support regular expressions in the rules (not, if, or, else, etc.)? Any help will be greatly appreciated. Kent Freeman ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False Positives Kent Freeman (Aug 28)
- <Possible follow-ups>
- RE: False Positives Hutchinson, Andrew (Aug 28)