[Snort-users] Signature 17210
Shawn.Jefferson at ...14448...
Fri Oct 26 12:36:54 EDT 2012
As far as false positives go, I think you have the following options (if the traffic/event is legitimate and cannot be shutdown):
1. Disable the rule entirely (you will lose all detection/prevention for this rule though!)
2. Write a suppression rule in threshold.conf (a more targeted approach).
3. Take the original rule, add some unique content match to it, and make it a pass rule in your local.rules (where you can identity something unique about the false positive and don't have the ability to do #2 above without losing some detection/prevention capability.)
That's what I do in these cases. Anyone else have additional ways of copying with false positives?
From: Joel Esler [mailto:jesler at ...1935...]
Sent: Friday, October 26, 2012 6:16 AM
To: K Vijaya Sai Prasanth
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Signature 17210
On Oct 26, 2012, at 6:31 AM, K Vijaya Sai Prasanth <sai.prashanth at ...15903.....<mailto:sai.prashanth at ...15887...>> wrote:
Can anyone explain when this rule is triggered and how any false positives can be mitigated? I see that this is the rule definition. Can someone please interpret this?
That rule indicates a Portable Executable file transfer has taken place over SMB shares.
I'd get started with the docs at www.snort.org/docs<http://www.snort.org/docs> for information.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users