Snort mailing list archives
RE: False Positives
From: "Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu>
Date: Wed, 28 Aug 2002 15:36:10 -0500
I believe that the alert rules are applied before the pass rules, and thus the pass rule wouldn't work unless you changed the default alerting order with the '-o' switch. You could add a space after the word "virgin" in the content part of the rule, if you wanted to. Or you could just comment out the rule, let some of the potential porn get by, and make Larry Flynt et al happy. Andrew -----Original Message----- From: Kent Freeman [mailto:kfreeman () nexxtnet com] Sent: Wednesday, August 28, 2002 2:41 PM To: snort-users () lists sourceforge net Subject: [Snort-users] False Positives Greetings fellow Snorters; I have been experiencing a lot of false positives, and need a little help. The false positives are being generated by this "porn virgin" ruleset: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin"; content:"virgin"; nocase; flags:A+; classtype:kickass-porn; sid:1796; rev:1;) The problem is that whenever a packet with the word "Virginia" traverses my network, it is logged as an alert. What is the best method to prevent this? Add a rule to local.rules like this: pass tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any; content:"Virginia"; flags:A+; classtype:false-positive-porn; sid:1796; rev:1;) Is there a way to add a second content section to the existing rule? Does Snort support regular expressions in the rules (not, if, or, else, etc.)? Any help will be greatly appreciated. Kent Freeman ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False Positives Kent Freeman (Aug 28)
- <Possible follow-ups>
- RE: False Positives Hutchinson, Andrew (Aug 28)