[Emerging-Sigs] FP:: netbackup

Joel Esler eslerj at gmail.com
Fri Jan 16 14:39:02 EST 2009

When VRT rules are written and reported on, there is a document  
included with every single signature in the database.  In this  
documentation file, there is a field called false positives.

All of this documentation is available on the Snort.org website easily  
by searching for rule number on the left hand side of the page.


On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote:

> yeah, you are right. Is there a list or database of known "false  
> positives" (this time in quotes) or known applications which trip on  
> certain rules?
> On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler <eslerj at gmail.com> wrote:
> On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote:
>> Net Backup False Positive:
>> 1/15-20:41:50.368405  [**] [1:2003055:4] ET MALWARE Suspicious 220  
>> Banner on Local Port [**] [Classification: Detection of a non- 
>> standard protocol or event] [Priority: 2] {TCP} 172.20.xx.xx:13724 - 
>> > 192.168.xx.xx:2453
>> Yeah, I have to talk to the backup guy and figure out why he's not  
>> using the backup network :)
> So, it's not a false positive.  The alert triggered on what you  
> wanted it to trigger on, and even more it helped you find a system  
> that is operating incorrectly.
> I guess I don't see how it's a false positive.  My point is, and not  
> picking on you David,  but people say False positive a lot in this  
> industry and I think they are just using the wrong terminology.
> Pedantic I know.
> J
> --
> Joel Esler
> [m]

Joel Esler
  http://www.joelesler.nethttp://www.twitter.com/joelesler

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/16e48edb/attachment.html

More information about the Emerging-sigs mailing list