Snort mailing list archives
Re: False Positives on 1:17246
From: Josh Little <josh () zombietango com>
Date: Thu, 14 Oct 2010 10:12:16 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/14/2010 9:54 AM, Christopher A. Libby wrote:
Looks like there are a lot of false positives being generated on
SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt. I haven't had time to review the rule itself to see if I can figure out what the issue is exactly - I can supply data if needed.
Also - does anyone have a script that could extract the full details of
the even from the Snorby database? I have a hard time providing data using the web-based export methods, as it doesn't contain all the information. Thanks!
I'll second the large amounts of "false positives" on that signature. I came in today to several hundred alerts for 17246. The signature src addresses are fairly random (banking site, diet site, several ad servers, etc) and all are from web traffic (tcp/80). Josh Little -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAky3D70ACgkQMRelb3QdcMdRwgD8Cu5ht9XPvwLACcCxRzLhPw42 AT7DadWHug9oOn/MQ6wA/0MMoOMCEO3A4Q0133V9kkU8tpn7fBNV4ZQxr8ZKDRol =vdKL -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False Positives on 1:17246 Christopher A. Libby (Oct 14)
- Re: False Positives on 1:17246 Josh Little (Oct 14)
- Re: False Positives on 1:17246 Nigel Houghton (Oct 14)
- Re: False Positives on 1:17246 Josh Little (Oct 14)