Snort mailing list archives

Previous By Date Next
Previous By Thread Next

False Positives

From: "Kent Freeman" <kfreeman () nexxtnet com>
Date: Wed, 28 Aug 2002 12:41:19 -0700
Greetings fellow Snorters;

I have been experiencing a lot of false positives, and need a little help.

The false positives are being generated by this "porn virgin" ruleset:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin";
content:"virgin"; nocase; flags:A+; classtype:kickass-porn; sid:1796;
rev:1;)

The problem is that whenever a packet with the word "Virginia" traverses my
network, it is logged as an alert.

What is the best method to prevent this?

Add a rule to local.rules like this:

pass tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any; content:"Virginia";
flags:A+; classtype:false-positive-porn; sid:1796;
rev:1;)

Is there a way to add a second content section to the existing rule?

Does Snort support regular expressions in the rules (not, if, or, else,
etc.)?

Any help will be greatly appreciated.

Kent Freeman



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: