[Snort-sigs] Question about sid: 1002

Paul Schmehl pauls at ...1311...
Thu Apr 3 09:35:36 EST 2003


On Thu, 2003-04-03 at 09:05, Brian wrote:
> 
> Because you would not pick up the scanners that just look for cmd.exe
> 
OK, but in order to actually exploit the vulnerability, don't you have
to use the question mark format?

(The problem I'm seeing is FPs every time someone runs WindowsUpdate,
which is quite frequent on our campus.  It obscures the boxes that are
actually infected with CodeRed.)

-- 
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member





More information about the Snort-sigs mailing list