[Snort-sigs] more gripes about todays rule changes ;-)

Russell Fulton r.fulton at ...575...
Wed Jun 5 22:23:08 EDT 2002


The following new rules with sids:

1768
1748
1792
1690
1679

Cause large numbers of false +ves.  Some are attempts to detect buffer
overflows simply based on the amount of data in the packet (dsize) these
are generating nearly 1000 faslse postives an hour.  The others are
Oracle rules that trigger on simple words (eg describe and grant) on all
ports including web traffic.  Every web page that has these words
triggers these rules.

Cheers, Russell.
-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-sigs mailing list