I think the use of the words "false positive" in this instance is
wrong. A false positive indicates that what alerted a rule is not what
is actually taking place in traffic. The rule will alert on what you
have in the rule construct. Now will the "msg" of the alert match what
is actually taking place? That's what you're asking...
It's not possible (hardly) to be able to tell which of the alerts are
"false positives" without actual packet payload data.
Joel
On Jul 18, 2005, at 10:43 AM, Angelita de Cássia Corrêa wrote:
I receive many of these alerts, what are really false positives?
(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY
(http_inspect) IIS UNICODE CODEPOINT ENCODING
(snort_decoder): Truncated Tcp Options
(snort_decoder): Tcp Options found with bad lengths
attempted-recon: (http_inspect) DOUBLE DECODING ATTACK
attempted-dos: ICMP PATH MTU denial of service
misc-activity: ICMP PING CyberKit 2.2 Windows
non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING
Thanks,
Angelita
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id�492&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
