Re: False positive

[Joel Esler <eslerj () gmail com>]

I think the use of the words "false positive" in this instance is 
wrong.  A false positive indicates that what alerted a rule is not what 
is actually taking place in traffic.  The rule will alert on what you 
have in the rule construct.  Now will the "msg" of the alert match what 
is actually taking place?  That's what you're asking...

It's not possible (hardly) to be able to tell which of the alerts are 
"false positives" without actual packet payload data.

Joel

On Jul 18, 2005, at 10:43 AM, Angelita de Cássia Corrêa wrote:

> I receive many of these alerts, what are really false positives? 
>  
> (http_inspect) BARE BYTE UNICODE ENCODING  
> (http_inspect) OVERSIZE REQUEST-URI DIRECTORY  
> (http_inspect) IIS UNICODE CODEPOINT ENCODING  
> (snort_decoder): Truncated Tcp Options  
> (snort_decoder): Tcp Options found with bad lengths  
> attempted-recon: (http_inspect) DOUBLE DECODING ATTACK  
> attempted-dos: ICMP PATH MTU denial of service  
> misc-activity: ICMP PING CyberKit 2.2 Windows  
> non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING  
>  
> Thanks,
> Angelita


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users