[Snort-users] False positives

Gary Verhulp garyv at ...7238...
Tue Oct 22 11:28:06 EDT 2002


That's what I'm sayin'
:)
I've determined that I have a false positive i.e. I've examined the 
packets and I have  reliable instances of False positives.

For instance <possible  .scr worm> is triggered by .scr
which, as I understand it, reads as any character followed by "scr"

Anytime someone gets mail with HTML embedded that has the word 
"screensaver" or something like that triggers the alarm. I have  a bunch 
of instances that I've determined to be false positives.
I just wanted to know if the people who maintain the signature database 
want this info. If so what information should I provide, in what format, 
and whom do I send it to.

Thanks

Gary

Alberto Gonzalez wrote:
> IMHO, you shouldn't just dismiss alerts as false positives, you 
> determine if its a false positive by investigating.
> If you have investigated before, and still are getting alerts, then you 
> can pretty much dismiss those (be warned).
> As to your e-mail, I really don't get what your trying to say. Snort 
> reports on the rules you tell it to check packets
> against, that simple. The ones you define in your snort config. (ie 
> snort.conf).
> 
> Hope it Helps
> 
>    - Albert
> 
> Gary Verhulp wrote:
> 
>> How does wone report false positives for rules.
>>
>> What info do you need to include.
>>
>> Thanks
>>
>> Gary
>>






More information about the Snort-users mailing list