[Snort-sigs] False +ves: SID 2517 Message IMAP PCT Client_Hello overflow attempt

Nigel Houghton nigel at ...435...
Tue Jun 22 17:15:10 EDT 2004


On  0, Russell Fulton <r.fulton at ...575...> allegedly wrote:
> H Folks,
> 
> I am seeing large numbers of false +ves on this rule, is there anything
> that can be done to tighten it up?

Can you elaborate on what false positives you are seeing? Please send a
packet capture if you can. (off list is fine I'm not sure it would go down
well for people using the list digest :) )

-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.




More information about the Snort-sigs mailing list