[Snort-users] False Positives

Kent Freeman kfreeman at ...2939...
Wed Aug 28 12:41:03 EDT 2002


Greetings fellow Snorters;

I have been experiencing a lot of false positives, and need a little help.

The false positives are being generated by this "porn virgin" ruleset:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin";
content:"virgin"; nocase; flags:A+; classtype:kickass-porn; sid:1796;
rev:1;)

The problem is that whenever a packet with the word "Virginia" traverses my
network, it is logged as an alert.

What is the best method to prevent this?

Add a rule to local.rules like this:

pass tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any; content:"Virginia";
flags:A+; classtype:false-positive-porn; sid:1796;
rev:1;)

Is there a way to add a second content section to the existing rule?

Does Snort support regular expressions in the rules (not, if, or, else,
etc.)?

Any help will be greatly appreciated.

Kent Freeman





More information about the Snort-users mailing list