[Snort-sigs] Submitting false positive reports

Nigel Houghton nigel at ...435...
Wed Jan 11 22:55:01 EST 2006

On  0, Ureleet Ureleet <ureleet at ...2420...> allegedly wrote:
> What is official policy on submitting FP's?  Description and packet
> captures?  But to what address?  Where to send them,?

ok, a quick ramble on submitting false positive info:

Emailing everything to research at sourcefire dot com would be sufficient in most instances.

You could always search out someone from the VRT or look at the rule doc to see who is to blame for the rule and send to them.
When sending in a report, please try and capture the entire session for tcp events, single packets don't help all that much. Get as much as you can for udp events, and for everything else, use your best judgement to get as much information as you think might be necessary. This should save time, since we will only ask for this stuff if we don't get it from the start.

The description of the false positive should contain information such as client/server architecture, operating systems and applications used as well as any other information concerning the circumstances surrounding the false positive. Try and be as thorough as possible, it is easier to remove non-pertinent information than to add in information we don't have (if you see what I mean) :)

Remember, if you need to obfuscate ip address information, the -O switch is your best buddy.

Also, bear in mind your false positive information may not be added to the rule documentation immediately, we are going to try to fix the rule first so it doesn't happen again. If, for some reason, this is not possible then the information will be added and we will give you credit in the doc.

One last thing, please make sure your false positive isn't happening because of some information not being correctly set in your snort.conf. Spend a little time, think about it, and when you are pretty certain you have a false positive, send in your info.

     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.

More information about the Snort-sigs mailing list