Re: reporting false positives...

I would prefer an ascii dump over a pcap of a single packet. As long as 
you include header info in the copy and paste.

I would imagine that's the concensus, for a single packet at least.

As for the usefulness, I'm sure Brian and crew takt that info in and use 
it but might not always respond. It's definitely useful. On the 
bleedingsnort side, unless it's a quick no0brainer fix we generally 
funnel the FP over to the original author and a fix or tweak almost 
always comes back.

So the effort is definitely appreciated. We'll try to let you know if 
what you've sent in did the trick more often. :)

Matt

Russell Fulton wrote:
> Thanks Matt & Janson for responses:  This has confirmed what I had
> thought. Methods of reporting by order of usefulness:
>
> 1/ tcpdump of whole session
> 2/ tcpdump of single packet
> 3/ Ascii/hex dump of packet from Acid/or whatever.
>
> Is there much difference between 2 and 3? Given that 3 is much easier to
> obtain.
>
> When should I resort to getting full dumps of the streams?
>
> I have reported FPs on many occasions before (although not lately) and
> never had any feed back.  I appreciate that folk are busy doing
> productive stuff but I have been left wondering if it is worth my time
> and if I am sending in the "right stuff".
>
> I'd be happy if I got an occasional "Thanks, this is useful" or "Thanks,
> but what I really need....".


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl