[Snort-users] Snort Blog: Reporting False Positives with Snort.org

Joel Esler (jesler) jesler at ...589...
Tue Nov 22 11:06:41 EST 2016



http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html

Reporting False Positives with Snort.org<http://Snort.org>
Some users may not be aware, but you've been able to report false positives on Snort.org<http://Snort.org> for years.  I say that users may not be aware, because quite unintentionally, the feature wasn't very easy to find.

With today's rollout of version 5.1.1 of Snort.org<http://Snort.org>, hopefully, we've fixed that.

When visiting Snort.org<http://Snort.org>, upon logging in:

[cid:A05A2922-31CC-4688-8B26-7636B3B2C0A9 at ...17020...]<http://3.bp.blogspot.com/-L1V6hKiWIWU/WDRoorYiJGI/AAAAAAAAA7Y/E-3VvrH16M86fSLO92z72fkj2r4S9LCIwCK4B/s1600/homepage.png>


then clicking on your email in the same section after logging in, you will be taken to your User Preferences and information screen.

On the left side of the screen, you will see the different sections in your user account:

[cid:CC610845-739D-41C8-8326-D57B7782C5A1 at ...17020...]<http://1.bp.blogspot.com/-kx0fMjX8C-A/WDRpBdUF4GI/AAAAAAAAA7g/ZZ5El814SdgQ-V2-Au-XgE1snjCK4wn6QCK4B/s1600/preferences.png>


Including a new link at the bottom of the list for "False Positive".

[cid:E67A2169-04E1-4F6B-93C5-E225B26F5F27 at ...17020...]<http://2.bp.blogspot.com/-hQH0MsesgN4/WDRq4br6wfI/AAAAAAAAA7s/f8zaK7ilr14CUf-esy7xATyHlrYbQf2JwCK4B/s1600/fp.png>


The screen looks like this:

[cid:3C6F1CCC-D724-41AE-90D4-667732B80B62 at ...17020...]<http://3.bp.blogspot.com/-Acd2PoO6t9M/WDRrDWXDo1I/AAAAAAAAA70/zdhCpb-0kZkaQ91NGlXTjfaUS01ozJQLACK4B/s1600/fp.png>


When you fill out this form and click submit, the pcap and description will enter directly into our analyst's queue for work, allowing us to process false positives quickly.


In a future version of the Snort site, we are going to tie this feature directly into, what we call, the "Analyst Console", here at Talos.  Allowing you to see the status of your false positive, as it is flowing through our system, automatically.  Allowing you to see when the rule will be fixed, and when it was released.


In the meantime, please use this system for your FP reports, help us improve the feature!


--
Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161122/9a78ead7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: homepage.png
Type: image/png
Size: 35845 bytes
Desc: homepage.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161122/9a78ead7/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: preferences.png
Type: image/png
Size: 7596 bytes
Desc: preferences.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161122/9a78ead7/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fp.png
Type: image/png
Size: 8058 bytes
Desc: fp.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161122/9a78ead7/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fp.png
Type: image/png
Size: 18037 bytes
Desc: fp.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161122/9a78ead7/attachment-0003.png>


More information about the Snort-users mailing list