Submit a False Positive

You can submit false positives to the VRT in two ways.

False Positive Uploader

If you have an account on Snort.org, you can use the false positive uploader. This form has fields for all the values we need and can upload multiple files at once.

Contact Via Email

In order for the VRT to reproduce and ultimately solve the problem you're experiencing we need some basic information. When you report a False Positive please include the following in your report. Without this information there is little we can do to help.

All false positive reports should include:

  • A description of why you think it's a false positive
  • SID and GID for the event
  • The version of Snort you're running
  • OS Version
  • If Snort was built from source or from a binary package
  • If you've used a non-standard PCAP library
  • Full PCAP (Where PCAPs can't be collected unified log files are acceptable)
  • Full Snort Conf.
  • Command line options passed to Snort

Including the above information is critical for the VRT to accurately reproduce the problem and solve the problem.

For more details on effective problem reporting check out this webinar

False positives can be reported to fp@sourcefire.com, the Snort-Sigs mailing list or #Snort on Freenode. The VRT actively monitors all of these channels. If a false positive is reported somewhere else there is a good chance the VRT will not see it.