[Snort-sigs] Unknown IIS Worm Sigs

Brian bmc at ...95...
Fri Jun 25 07:41:08 EDT 2004


On Fri, Jun 25, 2004 at 09:35:23AM -0500, Matthew Jonkman wrote:
> >In many configurations, the rules being passed around won't work.
> >Any javascript can be encoded in any arbitrary manor and these won't
> >work at all.  
> 
> We do ave rules out there that will tell you if you have infected pc's 
> onthe inside. I personally have 2577 below disabled. It was giving me 
> hundreds of false's an hour. I last tried it on the current rev and 
> still had issues. I'll give it another shot though and see if I can 
> provide some feedback.

Can you send me pcap of these false positives.  I don't see em on my
networks...

Brian




More information about the Snort-sigs mailing list