Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] False positive

from [Angelita de Cássia Corrêa] Network Security [Permanent Link]
Subject: Re: [Snort-users] False positive
Date: Mon, 18 Jul 2005 12:10:02 -0300 
The payloads don't have data.

Before turn off these pre processors, I'm trying to understand them. I need
to calculate how many false positives the snort shows.

Thanks

----- Original Message ----- 
From: "Joel Esler" <eslerj@gmail.com>
To: "Angelita de Cássia Corrêa" <angelita@uol.com.br>
Cc: <snort-users@lists.sourceforge.net>
Sent: Monday, July 18, 2005 11:59 AM
Subject: Re: [Snort-users] False positive


I think the use of the words "false positive" in this instance is
wrong.  A false positive indicates that what alerted a rule is not what
is actually taking place in traffic.  The rule will alert on what you
have in the rule construct.  Now will the "msg" of the alert match what
is actually taking place?  That's what you're asking...

It's not possible (hardly) to be able to tell which of the alerts are
"false positives" without actual packet payload data.

Joel

On Jul 18, 2005, at 10:43 AM, Angelita de Cássia Corrêa wrote:


I receive many of these alerts, what are really false positives?

(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY
(http_inspect) IIS UNICODE CODEPOINT ENCODING
(snort_decoder): Truncated Tcp Options
(snort_decoder): Tcp Options found with bad lengths
attempted-recon: (http_inspect) DOUBLE DECODING ATTACK
attempted-dos: ICMP PATH MTU denial of service
misc-activity: ICMP PING CyberKit 2.2 Windows
non-standard-protocol: (http_inspect) OVERSIZE CHUNK ENCODING

Thanks,
Angelita





-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] False positive, Joel Esler
Next by Date:  Re: [Snort-users] False positive, Angelita de Cássia Corrêa
Previous by Thread:  Re: [Snort-users] False positive, Joel Esler
Next by Thread:  [Snort-users] gui, Plantier, Spencer
Indexes:  [Date] [Thread] [Top] [All Lists]