Re: Belaboring the point of FPs

Hi Paul,

Actually I wouldn't call those false positives, Snort did exactly what it was told to do. The concept of Snort's detection engine is very simple, it lets you ask questions about the decoded packets (and streams in later versions) and tells you when it sees the things you asked for. That rule could certainly be tighter but Snort is doing exactly what it was told to do. Reminds me of the old "Shooting yourself in the foot" programming languages pages like this one:    

http://noncorporeal.com/people/pathfinder/ shoot_yourself_in_the_foot.html

Snort is perfectly content to let you write rules which aren't effective in your environment, I've been saying for years that people need to put together rule sets for their specific environments. I was rather militant about it early on in Snort's history, back in early 1999 Snort shipped with ~50 sample rules and you were supposed to write a set for your environment. That obviously didn't work very well because we have ~2000 rules today...

Don't mean to be pedantic but Snort is rather literal minded about the rules you give it (kinda like C in that way).

      -Marty

On Monday, August 11, 2003, at 10:29 PM, Paul Schmehl wrote:

> Marty, I'm not picking on you, honest I'm not. I'm sitting here at

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch(at)sourcefire.com - 
http://www.sourcefire.com
Snort: Open Source Network IDS - 
http://www.snort.org


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: 
http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek