Re: False positives

[Gary Verhulp <garyv () cips nokia com>]

That's what I'm sayin'
:)
I've determined that I have a false positive i.e. I've examined the 
packets and I have  reliable instances of False positives.

For instance <possible  .scr worm> is triggered by .scr
which, as I understand it, reads as any character followed by "scr"

Anytime someone gets mail with HTML embedded that has the word 
"screensaver" or something like that triggers the alarm. I have  a bunch 
of instances that I've determined to be false positives.
I just wanted to know if the people who maintain the signature database 
want this info. If so what information should I provide, in what format, 
and whom do I send it to.

Thanks

Gary

Alberto Gonzalez wrote:
> IMHO, you shouldn't just dismiss alerts as false positives, you 
> determine if its a false positive by investigating.
> If you have investigated before, and still are getting alerts, then you 
> can pretty much dismiss those (be warned).
> As to your e-mail, I really don't get what your trying to say. Snort 
> reports on the rules you tell it to check packets
> against, that simple. The ones you define in your snort config. (ie 
> snort.conf).
>
> Hope it Helps
>
>    - Albert
>
> Gary Verhulp wrote:
>
> > How does wone report false positives for rules.
> >
> > What info do you need to include.
> >
> > Thanks
> >
> > Gary




-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users