Viewing detail logs causes secondary false positive.

["R. Anthony Kolstee" <tkolstee () manyroads com>]

I run both SnortReport and ACID on my snort logs, and have experienced
an interesting phenomena with both. Pardon me if this is in TFM
somewhere...

When viewing the detailed logs including payload data on an alert, I've
found that the content revealed in the payload usually causes a
secondary alert to occur. Obviously the content of the payload being
viewed is going to contain the original string that caused the IDS to
alert in the first place, but has anyone found a reliable way around
this? My only thought at the moment is to use SSL on the web browser
when viewing these reports; does anyone else have a better way around
this that isn't immediately apparent to me? Note that I can't make the
console immune or invisible to alerts on port 80, because the box in
question is a collocated web server and as such is self-contained.

Attachment: signature.asc
Description: This is a digitally signed message part