[Snort-sigs] Re: Holy False Positives Batman

Matthew Jonkman matt at ...2436...
Tue Jun 15 12:48:03 EDT 2004

Here's the rule to save everyone looking it up:

Invalid HTTP Version String"; flow:to_server,established; content:
"HTTP/"; isdataat:6,relative; content:!"|0A|"; within:4; 
reference:bugtraq,9809; reference:nessus,11593; 
classtype:non-standard-protocol; sid:2570; rev:3;)

Matthew Jonkman wrote:

> Nice work on all the new signature changes Brian. Except one of them. 
> 2570 is hitting a false positive on about every http hit in and out of 
> networks we watch. I can't find anything unusual about what it's hitting 
> on.
> Anyone else seeing this?
> Matt

Matthew Jonkman, CISSP
Senior Security Engineer

More information about the Snort-sigs mailing list