Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] FP on 2011124

From: "Stanwyck, Carraig - ASOC - Kansas City, MO" <Carraig.Stanwyck () asoc usda gov>
Date: Thu, 4 Aug 2016 00:00:59 +0000
Yes, though we’re seeing it in Sourcefire.  I can modify the rule internally to exclude PDFs, but saw a comment on 
emerging threats forum that other people were having the same FP issues.  Better if we could get it fixed in the rule 
set for everyone.

Regards,
Carraig Stanwyck
USDA | OCIO | ASOC



From: Pedro Marinho [mailto:pppmarinho () gmail com]
Sent: Wednesday, August 03, 2016 9:09 AM
To: Stanwyck, Carraig - ASOC - Kansas City, MO <Carraig.Stanwyck () asoc usda gov>
Cc: emerging-sigs () lists emergingthreats net; snort-sigs () lists sourceforge net
Subject: Re: [Emerging-Sigs] FP on 2011124

Hi Stanwyck,

Are you seeing False Positives in HTTP traffic on snort ? If that is the case perhaps the best way to avoid that would 
be adding a negative flowbits test to the PDF file beeing downloaded in HTTP flowbits ET.pdf.in.http

Like;

flowbits:isnotset,ET.pdf.in.http;

That flowbits is set on sid 2015671.

Em terça-feira, 2 de agosto de 2016, Stanwyck, Carraig - ASOC - Kansas City, MO <Carraig.Stanwyck () asoc usda 
gov<mailto:Carraig.Stanwyck () asoc usda gov>> escreveu:
Good Evening,

I am having benign pdfs hit on this rule.  Any way to exclude pdf files?

Regards,

Carraig Stanwyck
USDA | OCIO | ASOC






This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized 
interception of this message or the use or disclosure of the information it contains may violate the law and subject 
the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the 
sender and delete the email immediately.

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: