[Emerging-Sigs] FP:: netbackup

Joel Esler eslerj at gmail.com
Fri Jan 16 15:09:22 EST 2009


That's something worth discussing...

J

On Jan 16, 2009, at 3:06 PM, David Glosser allegedly wrote:

> Something liek this for ET rules would be interesting...
>
> On Fri, Jan 16, 2009 at 2:39 PM, Joel Esler <eslerj at gmail.com> wrote:
> When VRT rules are written and reported on, there is a document  
> included with every single signature in the database.  In this  
> documentation file, there is a field called false positives.
>
> All of this documentation is available on the Snort.org website  
> easily by searching for rule number on the left hand side of the page.
>
> J
>
> On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote:
>
>> yeah, you are right. Is there a list or database of known "false  
>> positives" (this time in quotes) or known applications which trip  
>> on certain rules?
>>
>>
>> On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler <eslerj at gmail.com>  
>> wrote:
>>
>> On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote:
>>
>>> Net Backup False Positive:
>>>
>>> 1/15-20:41:50.368405  [**] [1:2003055:4] ET MALWARE Suspicious 220  
>>> Banner on Local Port [**] [Classification: Detection of a non- 
>>> standard protocol or event] [Priority: 2] {TCP} 172.20.xx.xx:13724  
>>> -> 192.168.xx.xx:2453
>>>
>>> Yeah, I have to talk to the backup guy and figure out why he's not  
>>> using the backup network :)
>>
>> So, it's not a false positive.  The alert triggered on what you  
>> wanted it to trigger on, and even more it helped you find a system  
>> that is operating incorrectly.
>>
>> I guess I don't see how it's a false positive.  My point is, and  
>> not picking on you David,  but people say False positive a lot in  
>> this industry and I think they are just using the wrong terminology.
>>
>> Pedantic I know.
>>
>> J
>>
>>
>>
>> --
>> Joel Esler
>>http://www.joelesler.net
>>http://www.twitter.com/joelesler
>> [m]
>>
>>
>
>
> --
> Joel Esler
>http://www.joelesler.net
>http://www.twitter.com/joelesler
> [m]
>
>


--
Joel Esler
  http://www.joelesler.nethttp://www.twitter.com/joelesler
[m]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/ccc86c19/attachment-0001.html


More information about the Emerging-sigs mailing list