[Snort-sigs] False positives in rule 1113

Federico Petronio petrus at ...2312...
Fri Jul 23 11:11:04 EDT 2004


Hi... I am getting some false positive in rule 1113

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
http directory traversal"; flow:to_server,established; content:"../"; 
reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:5;)

Is there any improvement over this rule to reduce the amount of false 
positives? I thought about changing content for uricontent, do you think 
that will help? will it reduce the effectiveness of the rule?

Thank you
-- 
                                         Federico Petronio
                                         petrus at ...2312...




More information about the Snort-sigs mailing list