|
|
reporting false positives...: msg#00138security.ids.snort.sigs
Hi Folks, I am being plagued by lots of false +ves on many of the newer rules. This isn't a complaint about snort, I'm fully aware of the limitations of the technology and the difficulty of testing sigs. What I want to know is what is the best method of capturing packets that demonstrate the false +ves that the developers can use to refine signatures. The standard advice of "Just send in a pcap" begs several questions of exactly what is required and what is the best method of obtaining the data. I am willing to expend some time and energy collecting data to help improve the rules but I want to make sure I and not going about it in an inefficient manner. I have asked this question (or variations on it) several times before but never had any response. My sensors run on Linux and I use the unified output plugin, how should I go about reporting false +ves? Please assume I'm real dumb :) but that I am smart enough to follow instructions and also to install any other tools that may help. -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: WEB-MISC SSLv3 invalid Client_Hello attempt: 00138, M. Shirk |
|---|---|
| Next by Date: | Re: reporting false positives...: 00138, Matt Jonkman |
| Previous by Thread: | (no subject)i: 00138, reynald |
| Next by Thread: | Re: reporting false positives...: 00138, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |