Re: reporting false positives...

The difference between 2 and 3 is that a pcap is easier to work with and 
verify. An ascii dump requires that a packet be crafted and then added 
to a session to run through snort where a pcap can be used natively. It 
is easy to do a snort -dve -r pcap.file but more difficult to recreate 
the pcap from an ascii dump. Nemesis and netdude leave plenty of 
opportunity to oops when going from ascii to pcap.

Russell Fulton wrote:

> Thanks Matt & Janson for responses:  This has confirmed what I had
> thought. Methods of reporting by order of usefulness:
>
> 1/ tcpdump of whole session
> 2/ tcpdump of single packet
> 3/ Ascii/hex dump of packet from Acid/or whatever.
>
> Is there much difference between 2 and 3? Given that 3 is much easier to
> obtain.
>
> When should I resort to getting full dumps of the streams?
>
> I have reported FPs on many occasions before (although not lately) and
> never had any feed back.  I appreciate that folk are busy doing
> productive stuff but I have been left wondering if it is worth my time
> and if I am sending in the "right stuff".
>
> I'd be happy if I got an occasional "Thanks, this is useful" or "Thanks,
> but what I really need....".
>
>
> Cheers, Russell



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl