Snort mailing list archives
Re: Question regarding a rule
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 25 Jun 2014 06:24:33 -0600
On Wed, 2014-06-25 at 13:10 +0100, Charlie Egan wrote:
Hi James,
Sorry a bit new to all of this - is a pcap file just a saved Wireshark
file so you can have a look at all of the packets?
Cheers
On Wed, Jun 25, 2014 at 12:39 PM, James Lay <jlay () slave-tothe-box net>
wrote:
On Tue, 2014-06-24 at 21:36 +0100, Charlie Egan wrote:
> Nope none whatsoever other than specifying my $HOME_NET ip.
> I assumed they may be false positives, but I'm only
> downloading one torrent file to my desktop when I run the
> test, so it doesn't make sense to me why 25 odd alerts are
> popping up. The content of the rule is at the beginning of
> the hex dump of the metafile, and |38 64 61| certainly
> doesn't pop up again within the file.
>
> Do you have any idea what could be causing false positives?
>
> Cheers
If you'd like to share a pcap of the file off list I'll take a
look at that and the current rule you're trying.
James
------------------------------------------------------------------------------
Open source business process management suite built on Java
and Eclipse
Turn processes into business applications with Bonita BPM
Community Edition
Quickly connect people, data, and systems into organized
workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about
Snort!
Indeed it is. James
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Question regarding a rule, (continued)
- Re: Question regarding a rule James Lay (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule James Lay (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule Y M (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule rmkml (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule James Lay (Jun 25)
- Re: Question regarding a rule Charlie Egan (Jun 25)
- Re: Question regarding a rule James Lay (Jun 25)
- Re: Question regarding a rule Charlie Egan (Jun 25)
- Message not available
- Re: Question regarding a rule Charlie Egan (Jun 26)
- Re: Question regarding a rule James Lay (Jun 26)
- Re: Question regarding a rule Charlie Egan (Jun 26)