Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: False Positives

From: "Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu>
Date: Wed, 28 Aug 2002 15:36:10 -0500
I believe that the alert rules are applied before the pass rules, and
thus the pass rule wouldn't work unless you changed the default alerting
order with the '-o' switch.

You could add a space after the word "virgin" in the content part of the
rule, if you wanted to.  Or you could just comment out the rule, let
some of the potential porn get by, and make Larry Flynt et al happy.

Andrew

-----Original Message-----
From: Kent Freeman [mailto:kfreeman () nexxtnet com] 
Sent: Wednesday, August 28, 2002 2:41 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] False Positives


Greetings fellow Snorters;

I have been experiencing a lot of false positives, and need a little
help.

The false positives are being generated by this "porn virgin" ruleset:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin";
content:"virgin"; nocase; flags:A+; classtype:kickass-porn; sid:1796;
rev:1;)

The problem is that whenever a packet with the word "Virginia" traverses
my network, it is logged as an alert.

What is the best method to prevent this?

Add a rule to local.rules like this:

pass tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any; content:"Virginia";
flags:A+; classtype:false-positive-porn; sid:1796;
rev:1;)

Is there a way to add a second content section to the existing rule?

Does Snort support regular expressions in the rules (not, if, or, else,
etc.)?

Any help will be greatly appreciated.

Kent Freeman



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing
real-time communications platform! Don't just IM. Build it in!
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: