Re: reporting false positives...

Yup that order is pretty much on the money, also make sure you include 
the rule SID and REV, and make sure your HOME_NET and EXTERNAL_NET 
variables aren't set to "any".  In some cases it also doesn't hurt to 
include the version of snort your running.

As for when to resort to getting full dumps, if you can't do it all the 
time, is when the protocol has extra context in the stream.  Good 
examples of this are DCERPC and SMB, as packets sent previously in the 
stream influence what things mean latter on in the stream.

Cheers,
-matt

Russell Fulton wrote:

> Thanks Matt & Janson for responses:  This has confirmed what I had
> thought. Methods of reporting by order of usefulness:
>
> 1/ tcpdump of whole session
> 2/ tcpdump of single packet
> 3/ Ascii/hex dump of packet from Acid/or whatever.
>
> Is there much difference between 2 and 3? Given that 3 is much easier to
> obtain.
>
> When should I resort to getting full dumps of the streams?
>
> I have reported FPs on many occasions before (although not lately) and
> never had any feed back.  I appreciate that folk are busy doing
> productive stuff but I have been left wondering if it is worth my time
> and if I am sending in the "right stuff".
>
> I'd be happy if I got an occasional "Thanks, this is useful" or "Thanks,
> but what I really need....".
>
>
> Cheers, Russell
>
>  



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl