[Snort-users] False Positive on VRT 28039

Joel Esler (jesler) jesler at ...589...
Wed Nov 27 09:00:31 EST 2013

No, that wouldn’t be appropriate, since u.pw is still “.pw”.

This is a case for suppression on your local instance if alerts to “u.pw” is allowed in your organization.

Joel Esler
AEGIS Intelligence Lead
OpenSource Manager
Vulnerability Research Team, Sourcefire

On Nov 26, 2013, at 11:19 PM, Jeremy Hoel <jthoel at ...11827...> wrote:

> I was fiddling around with it trying to have it !content  for u.pw,
> still working on that.  The category is fine, I just wondered if there
> was a desire to filter the known site.
> On Tue, Nov 26, 2013 at 9:04 PM, Joel Esler (jesler) <jesler at ...589...> wrote:
>> Maybe indicator-compromise is the wrong category.
>> --
>> Joel Esler
>> Intelligence Lead
>> Open Source Manager
>> Vulnerability Research Team
>>> On Nov 26, 2013, at 19:39, "Jeremy Hoel" <jthoel at ...11827...> wrote:
>>> Rule is looking for .pw as indicator of compromise however upworthy
>>> bought u.pw as a URL shortener.  Maybe modify the rule to exclude that
>>> domain?
>>> http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/
>>> ------------------------------------------------------------------------------
>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>> organizations don't have a clear picture of how application performance
>>> affects their revenue. With AppDynamics, you get 100% visibility into your
>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list