[Snort-sigs] new rule 40268

Joel Esler (jesler) jesler at ...3865...
Mon Sep 26 18:03:49 EDT 2016

You can submit false positives for us to review by going to Snort.org<http://Snort.org>, logging in at the top right, and visiting our community page:

At the bottom, you’ll see a place to submit false positives to us.  We are currently revamping this to make it easier to get to.

Joel Esler
Talos Group

On Sep 26, 2016, at 3:15 PM, Stanwyck, Carraig - ASOC - Kansas City, MO <Carraig.Stanwyck at ...4154...<mailto:Carraig.Stanwyck at ...4154...>> wrote:


I just emailed them this morning on the same issue.  We’re seeing FPs on this rule too.

Carraig Stanwyck

From: Johnson, John [mailto:jj at ...4181...]
Sent: Monday, September 26, 2016 1:50 PM
To: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] new rule 40268


   The new rule 40268 (9/22/16) has triggered a couple of times here and I’m not really convinced its not a false positive.
  I see a match on the 32 characters in an email – what else can I do to verify this is a legitimate hit?


This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. ------------------------------------------------------------------------------
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160926/18897aad/attachment.html>

More information about the Snort-sigs mailing list