[Snort-sigs] Change to false positives for rule 1948

A.Jones at ...2695... A.Jones at ...2695...
Wed Aug 4 13:37:03 EDT 2004


Sid: 1948
False Positives: A TTL of the form 0x0000fcxx triggers this, too.

Additional comment for the Snort team: This is darned hard to write a rule
for, though. I tried to come up with better things to match against, but
there isn't really anything short of writing a complete DNS parser.

			-&




More information about the Snort-sigs mailing list