[Emerging-Sigs] FP:: netbackup

David Glosser david.glosser at gmail.com
Fri Jan 16 15:06:32 EST 2009


Something liek this for ET rules would be interesting...

On Fri, Jan 16, 2009 at 2:39 PM, Joel Esler <eslerj at gmail.com> wrote:

> When VRT rules are written and reported on, there is a document included
> with every single signature in the database.  In this documentation file,
> there is a field called false positives.
> All of this documentation is available on the Snort.org website easily by
> searching for rule number on the left hand side of the page.
>
> J
>
> On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote:
>
> yeah, you are right. Is there a list or database of known "false positives"
> (this time in quotes) or known applications which trip on certain rules?
>
>
> On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler <eslerj at gmail.com> wrote:
>
>>
>> On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote:
>>
>> Net Backup False Positive:
>>
>> 1/15-20:41:50.368405  [**] [1:2003055:4] ET MALWARE Suspicious 220 Banner
>> on Local Port [**] [Classification: Detection of a non-standard protocol or
>> event] [Priority: 2] {TCP} 172.20.xx.xx:13724 -> 192.168.xx.xx:2453
>>
>> Yeah, I have to talk to the backup guy and figure out why he's not using
>> the backup network :)
>>
>>
>> So, it's not a false positive.  The alert triggered on what you wanted it
>> to trigger on, and even more it helped you find a system that is operating
>> incorrectly.
>>
>> I guess I don't see how it's a false positive.  My point is, and not
>> picking on you David,  but people say False positive a lot in this industry
>> and I think they are just using the wrong terminology.
>>
>> Pedantic I know.
>>
>> J
>>
>>
>>
>> --
>> Joel Esler
>>http://www.joelesler.net
>>http://www.twitter.com/joelesler
>> [m]
>>
>>
>
>
> --
> Joel Esler
>http://www.joelesler.net
>http://www.twitter.com/joelesler
> [m]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/551f84db/attachment.html


More information about the Emerging-sigs mailing list