Snort mailing list archives

Re: Proxy Servers generating false positives

From: "Chan, Wilson" <wchan () honolulu gov>
Date: Fri, 30 Oct 2009 17:34:37 -1000

What rules sets from snort would these malware be triggering?

Wilson

----- Original Message -----
From: Jefferson, Shawn <Shawn.Jefferson () bcferries com>
To: Chan, Wilson; snort-users () lists sourceforge net <snort-users () lists sourceforge net>
Sent: Fri Oct 30 11:57:31 2009
Subject: RE: Proxy Servers generating false positives

Well, I could see straight off the bat that you would be possibly giving up detection on attack responses and malware 
that is proxy-aware.  Most of the malware that gets past our perimeter (and detected by my various detection systems in 
place) is web-based that users are surfing to.

  _____  

From: Chan, Wilson [mailto:wchan () honolulu gov] 
Sent: Friday, October 30, 2009 1:48 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Proxy Servers generating false positives

It seems that Snort is generating a lot of false positives for the web traffic heading to our internal proxy servers. 
Instead of creating thresholds/disabling sigs per alert does it make more sense to just use a BPF to filter out port 
8080 to our proxy servers? Is this standard practice or will I lose too much on the detection realm? What am I giving 
up? Thanks!

Wilson

No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.423 / Virus Database: 270.14.38/2467 - Release Date: 10/30/09 15:18:00

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Proxy Servers generating false positives Chan, Wilson (Oct 30)
- Re: Proxy Servers generating false positives Jefferson, Shawn (Oct 30)
  - Re: Proxy Servers generating false positives Jason Haar (Oct 30)
    - Re: Proxy Servers generating false positives Brandon Harms (Oct 31)
    - Re: Proxy Servers generating false positives Nigel Houghton (Oct 31)
    - Re: Proxy Servers generating false positives Brandon Harms (Nov 02)
- <Possible follow-ups>
- Re: Proxy Servers generating false positives Chan, Wilson (Oct 30)
- Re: Proxy Servers generating false positives Chan, Wilson (Oct 30)
  - Re: Proxy Servers generating false positives Jason Haar (Oct 30)