[Snort-sigs] Rule 1797 triggered by Win XP SP2 download
ghostettler at ...2716...
Mon Aug 9 16:06:01 EDT 2004
Getting false positives on sid 1797 (DBSM) while downloading Win XP SP2,
English and German versions (as well as a bunch of bleedingsnort sids).
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM";
content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn;
It just reacts on "BDSM", w/o other check.
Not a big deal when downloading, but when pushing this to workstations from
SUS, I bet this will raise many, many, many more false alarms!
So be warned and do not suspect all your users to surf porn sites at the
same time ;-)
Caracal - G. Hostettler
6, ch. du Raidillon
e-mail travaux généraux : info at ...2716...
e-mail personnel : ghostettler at ...2716...
More information about the Snort-sigs