Snort mailing list archives
Re: signature true positive or not
From: Yossi <yasayag () gmail com>
Date: Wed, 25 Jan 2012 09:18:44 +0200
Thanks, but I already analyzed it and came to the conclusion that in my case all the alerts which I was getting, were false-positive and that why I had disabled it.
On 01/24/2012 05:50 PM, JJC wrote:
Beyond that, as was mentioned earlier, we cannot possibly tell you if it was a true positive or a false positive in your environment. Often even if you provide a PCAP. Sure, with a PCAP we could probably say.. this was a legitimate attack, but if the target system is not vulnerable.... There are a number of factors that YOU as the analyst must be able to answer and work your way through to determine this.JJCOn Tue, Jan 24, 2012 at 6:31 AM, Kevin Ross <kevross33 () googlemail com <mailto:kevross33 () googlemail com>> wrote:Oh right. Well it is just that when VRT release their rulesets they will tell you whether or not by default it is enabled or disabled. If it is a rule you would like to run you have to enable it yourself (using pulledpork) and vice versa for disabling any enabled by default rules you don't need. In contrast the emergingthreats.net <http://emergingthreats.net> rules are largely distributed entirely enabled unless it is a performance/false positive concern and it is up to you to disable them as needed. Kind Regards, Kevin Ross On 24 January 2012 09:50, Yossi <yasayag () gmail com <mailto:yasayag () gmail com>> wrote: I just wanted to understand the meaning of "Default rule state" = DISABLED. Should I disabled the rule from the rule files, or the rule hasn't been updated. yossi On 01/24/2012 11:33 AM, Kevin Ross wrote:I am not sure exactly what you mean but I will make a few guesses and hope I answer your question: 1) If you mean about it saying it is disabled in the rule update that means by default it is disabled and it is up to you whether or not you want to enable it. 2) If you did enable it and you got a hit we won't be able to determine if it was a true positive (when it really is an attack) or a false negative (when the sig fires but the traffic isn't an attack) unless you provide a packet. Kind Regards, Kevin Ross On 24 January 2012 09:11, Yossi <yasayag () gmail com <mailto:yasayag () gmail com>> wrote: Can someone explain the meaning of the the content which I'd found on the VRT site .Sourcefire VRT Rules Update Date: 2011-12-28 This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2.9.1.0. The format of the file is: *gid:sid <-> Default rule state <-> Message (rule group)* New Rules: * 1:20821<-> DISABLED<-> EXPLOIT Apache APR header memory corruption attempt (exploit.rules)Is the signature 20821 (EXPLOIT Apache APR header memory corruption attempt) true positive and should be disabled or not? Thanks ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- signature true positive or not Yossi (Jan 24)
- Re: signature true positive or not Kevin Ross (Jan 24)
- Message not available
- Re: signature true positive or not Kevin Ross (Jan 24)
- Re: signature true positive or not JJC (Jan 24)
- Re: signature true positive or not Joel Esler (Jan 24)
- Re: signature true positive or not Yossi (Jan 24)
- Re: signature true positive or not Joel Esler (Jan 25)
- Message not available
- Re: signature true positive or not Kevin Ross (Jan 24)