[Snort-users] Signature 17210

Jefferson, Shawn Shawn.Jefferson at ...14448...
Fri Oct 26 12:36:54 EDT 2012


As far as false positives go, I think you have the following options (if the traffic/event is legitimate and cannot be shutdown):


1.     Disable the rule entirely (you will lose all detection/prevention for this rule though!)

2.     Write a suppression rule in threshold.conf (a more targeted approach).

3.     Take the original rule, add some unique content match to it, and make it a pass rule in your local.rules (where you can identity something unique about the false positive and don't have the ability to do #2 above without losing some detection/prevention capability.)

That's what I do in these cases.  Anyone else have additional ways of copying with false positives?



From: Joel Esler [mailto:jesler at ...1935...]
Sent: Friday, October 26, 2012 6:16 AM
To: K Vijaya Sai Prasanth
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Signature 17210

On Oct 26, 2012, at 6:31 AM, K Vijaya Sai Prasanth <sai.prashanth at ...15903.....<mailto:sai.prashanth at ...15887...>> wrote:


Can anyone explain when this rule is triggered and how any false positives can be mitigated? I see that this is the rule definition. Can someone please interpret this?

That rule indicates a Portable Executable file transfer has taken place over SMB shares.

I'd get started with the docs at www.snort.org/docs<http://www.snort.org/docs> for information.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121026/a95b57de/attachment.html>


More information about the Snort-users mailing list