Re: reporting false positives...

What are you using for an event manager or viewer (ie, ACID/BASE, 
snortsnarf, demarc, etc) and are you logging to a database or just 
syslog, etc?

If you're using one of the web based managers you'll have a packet dump 
included in your display. You can generally copy that hex/ascii block 
and we'll know what you're looking at (include ports and flow info as well)

If you're on files only you'll have a file in something like 
/var/log/snort/<IP> with the offending data. You can send that our way 
as well.

If you know an event is going to happen, or you can manually trigger the 
false you can use tcpdump at the command line on your sensor. Something 
like:

tcpdump -n -i eth0 -w packet.dump.filename host <victimIP>

That'll give you a binary dump that you can send our way as well. This 
is preferred for larger events that require more context than one packet.

That is the short version. This would be a good article for 
bleedingsnort.com if anyone is interested in expanding on the subject.

Thanks

Matt

Russell Fulton wrote:
> Hi Folks,
>          I am being plagued by lots of false +ves on many of the newer rules.
> This isn't a complaint about snort, I'm fully aware of the limitations
> of the technology and the difficulty of testing sigs.
>
> What I want to know is what is the best method of capturing packets that
> demonstrate the false +ves that the developers can use to refine
> signatures. The standard advice of "Just send in a pcap" begs several
> questions of exactly what is required and what is the best method of
> obtaining the data.  I am willing to expend some time and energy
> collecting data to help improve the rules but I want to make sure I and
> not going about it in an inefficient manner.
>
> I have asked this question (or variations on it) several times before
> but never had any response.
>
> My sensors run on Linux and I use the unified output plugin, how should
> I go about reporting false +ves?  Please assume I'm real dumb :) but
> that I am smart enough to follow instructions and also to install any
> other tools that may help.


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl