[Snort-users] False positive on sid:17246

Andy Berryman aberryman at ...14765...
Wed Sep 15 13:02:41 EDT 2010


Great thanks! 

Sent from my phone. Please excuse any spelling mistakes.


On Sep 15, 2010, at 12:02 PM, "Alex Kirk" <akirk at ...1935...> wrote:

> You're not the only one. We're already reviewing the best way to update the rule based on a FP report we got in this morning. We'll have a new version out in the next 1-2 SEUs.
> 
> On Wed, Sep 15, 2010 at 12:39 PM, Andy Berryman <aberryman at ...14758...> wrote:
> Anyone getting false positives on this? I just did a rule update this morning am now getting tons of events for this all of a sudden.
> 
>  
> 
> SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt
> 
>  
> 
> Just seeing if anyone else is experiencing it? It looks like they are triggering on gzip files.
> 
>  
> 
>  
> 
>  
> 
> Thanks,
> 
> Andy Berryman
> 
> This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  
> 
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> -- 
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...1935...

###############################################################################
This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above.  If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited.  If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.                    
###############################################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100915/c0651eb5/attachment.html>


More information about the Snort-users mailing list