[Snort-users] False Positives

Hutchinson, Andrew Andrew.Hutchinson at ...3639...
Wed Aug 28 13:37:03 EDT 2002

I believe that the alert rules are applied before the pass rules, and
thus the pass rule wouldn't work unless you changed the default alerting
order with the '-o' switch.

You could add a space after the word "virgin" in the content part of the
rule, if you wanted to.  Or you could just comment out the rule, let
some of the potential porn get by, and make Larry Flynt et al happy.


-----Original Message-----
From: Kent Freeman [mailto:kfreeman at ...2939...] 
Sent: Wednesday, August 28, 2002 2:41 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] False Positives

Greetings fellow Snorters;

I have been experiencing a lot of false positives, and need a little

The false positives are being generated by this "porn virgin" ruleset:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin";
content:"virgin"; nocase; flags:A+; classtype:kickass-porn; sid:1796;

The problem is that whenever a packet with the word "Virginia" traverses
my network, it is logged as an alert.

What is the best method to prevent this?

Add a rule to local.rules like this:

pass tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any; content:"Virginia";
flags:A+; classtype:false-positive-porn; sid:1796;

Is there a way to add a second content section to the existing rule?

Does Snort support regular expressions in the rules (not, if, or, else,

Any help will be greatly appreciated.

Kent Freeman

This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list