[Snort-users] False Positives on 1:17246

Christopher A. Libby clibby at ...14973...
Thu Oct 14 09:54:04 EDT 2010

Looks like there are a lot of false positives being generated on SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt.  I haven't had time to review the rule itself to see if I can figure out what the issue is exactly - I can supply data if needed.

Also - does anyone have a script that could extract the full details of the even from the Snorby database?  I have a hard time providing data using the web-based export methods, as it doesn't contain all the information.  Thanks!

More information about the Snort-users mailing list