[Snort-sigs] more gripes about todays rule changes ;-)

Russell Fulton r.fulton at ...575...
Wed Jun 5 22:23:08 EDT 2002

The following new rules with sids:


Cause large numbers of false +ves.  Some are attempts to detect buffer
overflows simply based on the amount of data in the packet (dsize) these
are generating nearly 1000 faslse postives an hour.  The others are
Oracle rules that trigger on simple words (eg describe and grant) on all
ports including web traffic.  Every web page that has these words
triggers these rules.

Cheers, Russell.
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the Snort-sigs mailing list