[Snort-sigs] False Positive on 1062
stan at ...2219...
Wed Feb 11 09:19:13 EST 2004
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Ease of Attack:
I was in the middle of downloading an .exe file from my web server from
a remote location when this rule was violated. The file I was
downloading was called "intellisync.exe". Looks like the rule only looks
at the five most characters from the right and ignores the rest of the
characters to the left.
That would make "intellisync.exe" look like "nc.exe".
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs