[Snort-sigs] Update for sid 1394 - false positive update

hitman at ...2107... hitman at ...2107...
Tue Dec 30 07:50:38 EST 2003


Hi,

This is an addition to the rule for SID 1394
I noticed false positives get generated for this if snort sees irc traffic that
looks like this

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Form below..


Rule:  

--
Sid:
 1394
--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
A false Positive can be generated if the snort sensor detects text from an IRC
client or any other application that passes data plaintext. The alert is
generated if snort detects several (a) characters in a row - such as
'aaaaaaaaaa'.
--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.




More information about the Snort-sigs mailing list