[Snort-users] False Positives on 1:17246
josh at ...14998...
Thu Oct 14 10:12:16 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 10/14/2010 9:54 AM, Christopher A. Libby wrote:
> Looks like there are a lot of false positives being generated on
SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion
attempt. I haven't had time to review the rule itself to see if I can
figure out what the issue is exactly - I can supply data if needed.
> Also - does anyone have a script that could extract the full details of
the even from the Snorby database? I have a hard time providing data
using the web-based export methods, as it doesn't contain all the
I'll second the large amounts of "false positives" on that signature.
I came in today to several hundred alerts for 17246. The signature src
addresses are fairly random (banking site, diet site, several ad
servers, etc) and all are from web traffic (tcp/80).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Snort-users