[Oisf-users] How decrease the number of false positive

Jack Mott jmott at emergingthreats.net
Wed Sep 20 17:43:54 UTC 2017


Hi Rildo,

Thanks for reaching out. In the future, a question like this might be
better directed at the Emerging Threats mailing list [1], as these are ET
sigs/SIDs.

That being said, I would update your ruleset-- the SIDs you pasted are out
of date and are currently at rev:4751. These types of rules update a lot,
so if they are out of date, they will be prone to false positives.

[1] https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Best,

Jack

On Wed, Sep 20, 2017 at 10:55 AM, Rildo Souza <rildo.souza at rnp.br> wrote:

> Hello People,
>
> Currently I have been receiving a lot of false positive notification
> related with "Subject": Classification:A Network Trojan was detected.
> The ids in most of cases are:
> [1:2404516:4621]
> [1:2404030:4621]
> [1:2404559:4621]
> [1:2404026:4621]
> [1:2404441:4621]
>
> I checked it and there are many false positive.
>
> Could someone help me to improve my detections in the Suricata ?
>
> Best Regards,
>
> Rildo Antonio de Souza
> Security Analyst
> Centro de Atendimento a Incidentes de Segurança - CAIS
> Rede Nacional de Ensino e Pesquisa - RNP
> (19) 3787-3368 - http://www.rnp.br/cais
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170920/34a389d1/attachment-0002.html>


More information about the Oisf-users mailing list