[Snort-sigs] Question about sid: 1002

Paul Schmehl pauls at ...1311...
Thu Apr 3 09:35:36 EST 2003

On Thu, 2003-04-03 at 09:05, Brian wrote:
> Because you would not pick up the scanners that just look for cmd.exe
OK, but in order to actually exploit the vulnerability, don't you have
to use the question mark format?

(The problem I'm seeing is FPs every time someone runs WindowsUpdate,
which is quite frequent on our campus.  It obscures the boxes that are
actually infected with CodeRed.)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list