[Snort-users] False Positive on VRT 28039

Joel Esler (jesler) jesler at ...589...
Wed Nov 27 09:00:31 EST 2013


No, that wouldn’t be appropriate, since u.pw is still “.pw”.

This is a case for suppression on your local instance if alerts to “u.pw” is allowed in your organization.

--
Joel Esler
AEGIS Intelligence Lead
OpenSource Manager
Vulnerability Research Team, Sourcefire



On Nov 26, 2013, at 11:19 PM, Jeremy Hoel <jthoel at ...11827...> wrote:

> I was fiddling around with it trying to have it !content  for u.pw,
> still working on that.  The category is fine, I just wondered if there
> was a desire to filter the known site.
> 
> On Tue, Nov 26, 2013 at 9:04 PM, Joel Esler (jesler) <jesler at ...589...> wrote:
>> Maybe indicator-compromise is the wrong category.
>> 
>> --
>> Joel Esler
>> Intelligence Lead
>> Open Source Manager
>> Vulnerability Research Team
>> 
>>> On Nov 26, 2013, at 19:39, "Jeremy Hoel" <jthoel at ...11827...> wrote:
>>> 
>>> Rule is looking for .pw as indicator of compromise however upworthy
>>> bought u.pw as a URL shortener.  Maybe modify the rule to exclude that
>>> domain?
>>> 
>>> http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/
>>> 
>>> ------------------------------------------------------------------------------
>>> Rapidly troubleshoot problems before they affect your business. Most IT
>>> organizations don't have a clear picture of how application performance
>>> affects their revenue. With AppDynamics, you get 100% visibility into your
>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list