[Snort-sigs] False positive C$ - signatures 2470, 2472, 2471 and 533

Brian bmc at ...95...
Wed Jul 14 14:21:14 EDT 2004


On Tue, Jul 13, 2004 at 09:36:16PM +0200, erik at ...835... wrote:
> There seem to be a "bug" in the Snort rulebase regarding signatures
> matching IPC$ and C$ share access. The signatures which are suppose to
> alert on ipc$ access are overlapping the signatures regarding c$.

There is a better method for doing this, and the method just went out
in a rule push.  You should see it in a few minutes in the public CVS
server.

-brian




More information about the Snort-sigs mailing list