[Snort-users] False Positives
kfreeman at ...2939...
Wed Aug 28 12:41:03 EDT 2002
Greetings fellow Snorters;
I have been experiencing a lot of false positives, and need a little help.
The false positives are being generated by this "porn virgin" ruleset:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin";
content:"virgin"; nocase; flags:A+; classtype:kickass-porn; sid:1796;
The problem is that whenever a packet with the word "Virginia" traverses my
network, it is logged as an alert.
What is the best method to prevent this?
Add a rule to local.rules like this:
pass tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any; content:"Virginia";
flags:A+; classtype:false-positive-porn; sid:1796;
Is there a way to add a second content section to the existing rule?
Does Snort support regular expressions in the rules (not, if, or, else,
Any help will be greatly appreciated.
More information about the Snort-users