Re: Question regarding a rule

[James Lay <jlay () slave-tothe-box net>]

On Tue, 2014-06-24 at 21:36 +0100, Charlie Egan wrote:
> Nope none whatsoever other than specifying my $HOME_NET ip. I assumed
> they may be false positives, but I'm only downloading one torrent file
> to my desktop when I run the test, so it doesn't make sense to me why
> 25 odd alerts are popping up. The content of the rule is at the
> beginning of the hex dump of the metafile, and |38 64 61| certainly
> doesn't pop up again within the file.
>
>
> Do you have any idea what could be causing false positives?
>
> Cheers


If you'd like to share a pcap of the file off list I'll take a look at
that and the current rule you're trying.

James

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!