[Snort-users] False positives
garyv at ...7238...
Tue Oct 22 11:28:06 EDT 2002
That's what I'm sayin'
I've determined that I have a false positive i.e. I've examined the
packets and I have reliable instances of False positives.
For instance <possible .scr worm> is triggered by .scr
which, as I understand it, reads as any character followed by "scr"
Anytime someone gets mail with HTML embedded that has the word
"screensaver" or something like that triggers the alarm. I have a bunch
of instances that I've determined to be false positives.
I just wanted to know if the people who maintain the signature database
want this info. If so what information should I provide, in what format,
and whom do I send it to.
Alberto Gonzalez wrote:
> IMHO, you shouldn't just dismiss alerts as false positives, you
> determine if its a false positive by investigating.
> If you have investigated before, and still are getting alerts, then you
> can pretty much dismiss those (be warned).
> As to your e-mail, I really don't get what your trying to say. Snort
> reports on the rules you tell it to check packets
> against, that simple. The ones you define in your snort config. (ie
> Hope it Helps
> - Albert
> Gary Verhulp wrote:
>> How does wone report false positives for rules.
>> What info do you need to include.
More information about the Snort-users