Re: signature true positive or not

[Joel Esler <jesler () sourcefire com>]

Excellent.

On a side note if an alert triggers on your device and you aren't sure if it's a FP or not, please file a FP report (at 
the bottom of snort.org in the black bar is the link) and the VRT will take a look at it and let you know.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jan 25, 2012, at 2:18 AM, Yossi wrote:

> Thanks, but I already analyzed it and came to the conclusion that in my case all the alerts which I was getting, were 
> false-positive and that why I had disabled it.
>   
> On 01/24/2012 05:50 PM, JJC wrote:
> > Beyond that, as was mentioned earlier, we cannot possibly tell you if it was a true positive or a false positive in 
> > your environment.  Often even if you provide a PCAP.  Sure, with a PCAP we could probably say.. this was a 
> > legitimate attack, but if the target system is not vulnerable....  There are a number of factors that YOU as the 
> > analyst must be able to answer and work your way through to determine this.       
> >
> > JJC
> >
> > On Tue, Jan 24, 2012 at 6:31 AM, Kevin Ross <kevross33 () googlemail com> wrote:
> > Oh right. Well it is just that when VRT release their rulesets they will tell you whether or not by default it is 
> > enabled or disabled. If it is a rule you would like to run you have to enable it yourself (using pulledpork) and 
> > vice versa for disabling any enabled by default rules you don't need. In contrast the emergingthreats.net rules are 
> > largely distributed entirely enabled unless it is a performance/false positive concern and it is up to you to 
> > disable them as needed.
> >
> > Kind Regards,
> > Kevin Ross
> >
> > On 24 January 2012 09:50, Yossi <yasayag () gmail com> wrote:
> > I just wanted to understand the meaning of "Default rule state" = DISABLED.
> > Should I disabled the rule from the rule files, or the rule hasn't been updated.
> >
> > yossi
> >
> >
> > On 01/24/2012 11:33 AM, Kevin Ross wrote:
> > > I am not sure exactly what you mean but I will make a few guesses and hope I answer your question:
> > >
> > > 1) If you mean about it saying it is disabled in the rule update that means by default it is disabled and it is up 
> > > to you whether or not you want to enable it.
> > > 2) If you did enable it and you got a hit we won't be able to determine if it was a true positive (when it really 
> > > is an attack) or a false negative (when the sig fires but the traffic isn't an attack) unless you provide a packet. 
> > >
> > > Kind Regards,
> > > Kevin Ross
> > >
> > >
> > > On 24 January 2012 09:11, Yossi <yasayag () gmail com> wrote:
> > > Can someone explain the meaning of the the content which I'd found on the VRT site  . 
> > >
> > > > Sourcefire VRT Rules Update
> > > >
> > > > Date: 2011-12-28
> > > >
> > > > This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 
> > > > 2.9.1.0.
> > > >
> > > > The format of the file is:
> > > >
> > > > gid:sid <-> Default rule state <-> Message (rule group)
> > > >
> > > > New Rules:
> > > >
> > > >  * 1:20821 <-> DISABLED <-> EXPLOIT Apache APR header memory corruption attempt (exploit.rules)
> > >
> > >
> > > Is the signature 20821 (EXPLOIT Apache APR header memory corruption attempt) true positive and should be disabled 
> > > or not?
> > >
> > > Thanks 
> > >
> > > ------------------------------------------------------------------------------
> > > Keep Your Developer Skills Current with LearnDevNow!
> > > The most comprehensive online learning library for Microsoft developers
> > > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > > Metro Style Apps, more. Free future releases when you subscribe now!
> > > http://p.sf.net/sfu/learndevnow-d2d
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Keep Your Developer Skills Current with LearnDevNow!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!