[Snort-sigs] WEB-ATTACKS mail command attempt false positives

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...421...
Thu Mar 7 19:32:24 EST 2002


Hello,

I just upgraded to Snort 1.9dev on RHLinux 7.0 and noticed the signature
"WEB-ATTACKS mail command attempt" is generating false positives
occasionally. I checked the rule which looks for "/bin/mail" but none of the
traces have "/bin/mail" in them. It happened about 5 times in one day from 5
different sources.


Thanks,

Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan at ...421...






More information about the Snort-sigs mailing list