[Snort-sigs] Re: Holy False Positives Batman
bmc at ...95...
Wed Jun 16 09:04:12 EDT 2004
On Tue, Jun 15, 2004 at 02:47:06PM -0500, Matthew Jonkman wrote:
> Here's the rule to save everyone looking it up:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> Invalid HTTP Version String"; flow:to_server,established; content:
> "HTTP/"; isdataat:6,relative; content:!"|0A|"; within:4;
> reference:bugtraq,9809; reference:nessus,11593;
> classtype:non-standard-protocol; sid:2570; rev:3;)
Yep, the rule is broken.
Increase the within by 1. I'll be pushing out an updated rule
More information about the Snort-sigs