[Snort-sigs] 2515 "WEB-MISC PCT Client_Hello" FPs

sekure sekure at ...2420...
Fri Jun 25 11:43:01 EDT 2004


I am wondering if any more tightening up can be performed on the rev:9
of this rule.  I still see a lot of False Positives.  It also
accurately alerts on "legitimate" overflow attempts, but the FPs are
killing me.

I guess i can always suppress it since I am not really running any IIS
boxes, but I like to keep most of the current rules on, even if they
don't apply to me, just to see who is trying what.

Any ideas?




More information about the Snort-sigs mailing list