[Emerging-Sigs] FP:: netbackup

David Glosser david.glosser at gmail.com
Fri Jan 16 11:47:09 EST 2009


yeah, you are right. Is there a list or database of known "false positives"
(this time in quotes) or known applications which trip on certain rules?


On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler <eslerj at gmail.com> wrote:

>
> On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote:
>
> Net Backup False Positive:
>
> 1/15-20:41:50.368405  [**] [1:2003055:4] ET MALWARE Suspicious 220 Banner
> on Local Port [**] [Classification: Detection of a non-standard protocol or
> event] [Priority: 2] {TCP} 172.20.xx.xx:13724 -> 192.168.xx.xx:2453
>
> Yeah, I have to talk to the backup guy and figure out why he's not using
> the backup network :)
>
>
> So, it's not a false positive.  The alert triggered on what you wanted it
> to trigger on, and even more it helped you find a system that is operating
> incorrectly.
>
> I guess I don't see how it's a false positive.  My point is, and not
> picking on you David,  but people say False positive a lot in this industry
> and I think they are just using the wrong terminology.
>
> Pedantic I know.
>
> J
>
>
>
> --
> Joel Esler
>http://www.joelesler.net
>http://www.twitter.com/joelesler
> [m]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/84ccd064/attachment.html


More information about the Emerging-sigs mailing list