[Emerging-Sigs] FP:: netbackup

Joel Esler eslerj at gmail.com
Fri Jan 16 14:39:02 EST 2009


When VRT rules are written and reported on, there is a document  
included with every single signature in the database.  In this  
documentation file, there is a field called false positives.

All of this documentation is available on the Snort.org website easily  
by searching for rule number on the left hand side of the page.

J

On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote:

> yeah, you are right. Is there a list or database of known "false  
> positives" (this time in quotes) or known applications which trip on  
> certain rules?
>
>
> On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler <eslerj at gmail.com> wrote:
>
> On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote:
>
>> Net Backup False Positive:
>>
>> 1/15-20:41:50.368405  [**] [1:2003055:4] ET MALWARE Suspicious 220  
>> Banner on Local Port [**] [Classification: Detection of a non- 
>> standard protocol or event] [Priority: 2] {TCP} 172.20.xx.xx:13724 - 
>> > 192.168.xx.xx:2453
>>
>> Yeah, I have to talk to the backup guy and figure out why he's not  
>> using the backup network :)
>
> So, it's not a false positive.  The alert triggered on what you  
> wanted it to trigger on, and even more it helped you find a system  
> that is operating incorrectly.
>
> I guess I don't see how it's a false positive.  My point is, and not  
> picking on you David,  but people say False positive a lot in this  
> industry and I think they are just using the wrong terminology.
>
> Pedantic I know.
>
> J
>
>
>
> --
> Joel Esler
>http://www.joelesler.net
>http://www.twitter.com/joelesler
> [m]
>
>


--
Joel Esler
  http://www.joelesler.nethttp://www.twitter.com/joelesler
[m]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/16e48edb/attachment.html


More information about the Emerging-sigs mailing list