[Emerging-Sigs] FP:: netbackup

Matt Jonkman jonkman at jonkmans.com
Fri Jan 16 16:12:37 EST 2009


We have the wiki for this purpose. FPs, TPs, issues, etc.

http://doc.emergingthreats.net

or

http://doc.emergingthreats.net/2003055

Everything available is there. :)

Matt

Joel Esler wrote:
> That's something worth discussing...
> 
> J
> 
> On Jan 16, 2009, at 3:06 PM, David Glosser allegedly wrote:
> 
>> Something liek this for ET rules would be interesting...
>>
>> On Fri, Jan 16, 2009 at 2:39 PM, Joel Esler <eslerj at gmail.com
>> <mailto:eslerj at gmail.com>> wrote:
>>
>>     When VRT rules are written and reported on, there is a document
>>     included with every single signature in the database.  In this
>>     documentation file, there is a field called false positives.
>>
>>     All of this documentation is available on the Snort.org website
>>     easily by searching for rule number on the left hand side of the page.
>>
>>     J
>>
>>     On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote:
>>
>>>     yeah, you are right. Is there a list or database of known "false
>>>     positives" (this time in quotes) or known applications which trip
>>>     on certain rules?
>>>
>>>
>>>     On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler <eslerj at gmail.com
>>>     <mailto:eslerj at gmail.com>> wrote:
>>>
>>>
>>>         On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote:
>>>
>>>>         Net Backup False Positive:
>>>>
>>>>         1/15-20:41:50.368405  [**] [1:2003055:4] ET MALWARE
>>>>         Suspicious 220 Banner on Local Port [**] [Classification:
>>>>         Detection of a non-standard protocol or event] [Priority: 2]
>>>>         {TCP} 172.20.xx.xx:13724 -> 192.168.xx.xx:2453
>>>>
>>>>         Yeah, I have to talk to the backup guy and figure out why
>>>>         he's not using the backup network :)
>>>
>>>         So, it's not a false positive.  The alert triggered on what
>>>         you wanted it to trigger on, and even more it helped you find
>>>         a system that is operating incorrectly.
>>>
>>>         I guess I don't see how it's a false positive.  My point is,
>>>         and not picking on you David,  but people say False positive
>>>         a lot in this industry and I think they are just using the
>>>         wrong terminology.
>>>
>>>         Pedantic I know.
>>>
>>>         J
>>>
>>>
>>>
>>>         --
>>>         Joel Esler
>>>http://www.joelesler.net
>>>http://www.twitter.com/joelesler
>>>         [m]
>>>
>>>
>>
>>
>>     --
>>     Joel Esler
>>http://www.joelesler.net
>>http://www.twitter.com/joelesler
>>     [m]
>>
>>
> 
> 
> --
> Joel Esler
>http://www.joelesler.net
>http://www.twitter.com/joelesler
> [m]
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list