[Snort-users] Signature 17210

Joel Esler jesler at ...1935...
Fri Oct 26 13:13:41 EDT 2012


Ensure its a false positive too. 

Sent from my iPhone

On Oct 26, 2012, at 12:48 PM, "Jefferson, Shawn" <Shawn.Jefferson at ...14579.....> wrote:

> Typo… copying = coping
>  
>  
> From: Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...] 
> Sent: Friday, October 26, 2012 9:37 AM
> To: Joel Esler; K Vijaya Sai Prasanth
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Signature 17210
>  
> As far as false positives go, I think you have the following options (if the traffic/event is legitimate and cannot be shutdown):
>  
> 1.     Disable the rule entirely (you will lose all detection/prevention for this rule though!)
> 2.     Write a suppression rule in threshold.conf (a more targeted approach).
> 3.     Take the original rule, add some unique content match to it, and make it a pass rule in your local.rules (where you can identity something unique about the false positive and don’t have the ability to do #2 above without losing some detection/prevention capability.)
>  
> That’s what I do in these cases.  Anyone else have additional ways of copying with false positives?
>  
>  
>  
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Friday, October 26, 2012 6:16 AM
> To: K Vijaya Sai Prasanth
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Signature 17210
>  
> On Oct 26, 2012, at 6:31 AM, K Vijaya Sai Prasanth <sai.prashanth at ...15904...7...> wrote:
>  
> 
> Can anyone explain when this rule is triggered and how any false positives can be mitigated? I see that this is the rule definition. Can someone please interpret this?
>  
> That rule indicates a Portable Executable file transfer has taken place over SMB shares.
>  
> I'd get started with the docs at www.snort.org/docs for information.
>  
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121026/79585ad0/attachment.html>


More information about the Snort-users mailing list