[Snort-sigs] Unknown IIS Issue
frank at ...1978...
Wed Jul 28 11:33:26 EDT 2004
On Mon, 2004-07-19 at 16:29, Matthew Jonkman wrote:
> Yes, I agree it does. In fact we had 2 rules on bleeding that both
> covered it by just seeing the THCOWNZIIS string in the ssl stream. I was
> just talking to 2 people today though that are not seieng both
> signatures trip at the same time, which I assume should happen.
> I'm getting 40 or 50 hits on the sig just looking for THCOWNZIIS that
> look legitimate. They're in an ssl stream close to the beginning of the
> conversation. But no hits on 2515 at the same time.
> I haven't had time to look into it yet though. Once I do I'll send
> packet dumps out to see if anyone has any odeas.
Have you been able to determine if those 40-50 hits you are seeing are
just plain false positives, or actual exploit attempts not caught by the
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs