[Snort-users] False Positive on VRT 28039

Jeremy Hoel jthoel at ...11827...
Tue Nov 26 23:19:51 EST 2013


I was fiddling around with it trying to have it !content  for u.pw,
still working on that.  The category is fine, I just wondered if there
was a desire to filter the known site.

On Tue, Nov 26, 2013 at 9:04 PM, Joel Esler (jesler) <jesler at ...589...> wrote:
> Maybe indicator-compromise is the wrong category.
>
> --
> Joel Esler
> Intelligence Lead
> Open Source Manager
> Vulnerability Research Team
>
>> On Nov 26, 2013, at 19:39, "Jeremy Hoel" <jthoel at ...11827...> wrote:
>>
>> Rule is looking for .pw as indicator of compromise however upworthy
>> bought u.pw as a URL shortener.  Maybe modify the rule to exclude that
>> domain?
>>
>> http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/
>>
>> ------------------------------------------------------------------------------
>> Rapidly troubleshoot problems before they affect your business. Most IT
>> organizations don't have a clear picture of how application performance
>> affects their revenue. With AppDynamics, you get 100% visibility into your
>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list